writefreely
/
writefreely
ミラー元 https://github.com/writefreely/writefreely.git
2
0
フォーク 0
コード 課題 リリース 25 Wiki アクティビティ
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
855 コミット
45 ブランチ
305 MiB
 
 
 
 
 
ブランチ: oauth-gitlab
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'oauth-gitlab' から
${ noResults }
writefreely/oauth.go

319 行
11 KiB
Raw パーマリンク Blame 履歴 

  1. package writefreely

  2. 

  3. import (

  4. 	"context"

  5. 	"encoding/json"

  6. 	"fmt"

  7. 	"github.com/gorilla/mux"

  8. 	"github.com/gorilla/sessions"

  9. 	"github.com/writeas/impart"

  10. 	"github.com/writeas/web-core/log"

  11. 	"github.com/writeas/writefreely/config"

  12. 	"io"

  13. 	"io/ioutil"

  14. 	"net/http"

  15. 	"net/url"

  16. 	"strings"

  17. 	"time"

  18. )

  19. 

  20. // TokenResponse contains data returned when a token is created either

  21. // through a code exchange or using a refresh token.

  22. type TokenResponse struct {

  23. 	AccessToken  string `json:"access_token"`

  24. 	ExpiresIn    int    `json:"expires_in"`

  25. 	RefreshToken string `json:"refresh_token"`

  26. 	TokenType    string `json:"token_type"`

  27. 	Error        string `json:"error"`

  28. }

  29. 

  30. // InspectResponse contains data returned when an access token is inspected.

  31. type InspectResponse struct {

  32. 	ClientID    string    `json:"client_id"`

  33. 	UserID      string    `json:"user_id"`

  34. 	ExpiresAt   time.Time `json:"expires_at"`

  35. 	Username    string    `json:"username"`

  36. 	DisplayName string    `json:"-"`

  37. 	Email       string    `json:"email"`

  38. 	Error       string    `json:"error"`

  39. }

  40. 

  41. // tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token

  42. // endpoint. One megabyte is plenty.

  43. const tokenRequestMaxLen = 1000000

  44. 

  45. // infoRequestMaxLen is the most bytes that we'll read from the

  46. // /oauth/inspect endpoint.

  47. const infoRequestMaxLen = 1000000

  48. 

  49. // OAuthDatastoreProvider provides a minimal interface of data store, config,

  50. // and session store for use with the oauth handlers.

  51. type OAuthDatastoreProvider interface {

  52. 	DB() OAuthDatastore

  53. 	Config() *config.Config

  54. 	SessionStore() sessions.Store

  55. }

  56. 

  57. // OAuthDatastore provides a minimal interface of data store methods used in

  58. // oauth functionality.

  59. type OAuthDatastore interface {

  60. 	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)

  61. 	RecordRemoteUserID(context.Context, int64, string, string, string, string) error

  62. 	ValidateOAuthState(context.Context, string) (string, string, error)

  63. 	GenerateOAuthState(context.Context, string, string) (string, error)

  64. 

  65. 	CreateUser(*config.Config, *User, string) error

  66. 	GetUserByID(int64) (*User, error)

  67. }

  68. 

  69. type HttpClient interface {

  70. 	Do(req *http.Request) (*http.Response, error)

  71. }

  72. 

  73. type oauthClient interface {

  74. 	GetProvider() string

  75. 	GetClientID() string

  76. 	GetCallbackLocation() string

  77. 	buildLoginURL(state string) (string, error)

  78. 	exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error)

  79. 	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)

  80. }

  81. 

  82. type callbackProxyClient struct {

  83. 	server           string

  84. 	callbackLocation string

  85. 	httpClient       HttpClient

  86. }

  87. 

  88. type oauthHandler struct {

  89. 	Config        *config.Config

  90. 	DB            OAuthDatastore

  91. 	Store         sessions.Store

  92. 	EmailKey      []byte

  93. 	oauthClient   oauthClient

  94. 	callbackProxy *callbackProxyClient

  95. }

  96. 

  97. func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {

  98. 	ctx := r.Context()

  99. 	state, err := h.DB.GenerateOAuthState(ctx, h.oauthClient.GetProvider(), h.oauthClient.GetClientID())

  100. 	if err != nil {

  101. 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}

  102. 	}

  103. 

  104. 	if h.callbackProxy != nil {

  105. 		if err := h.callbackProxy.register(ctx, state); err != nil {

  106. 			return impart.HTTPError{http.StatusInternalServerError, "could not register state server"}

  107. 		}

  108. 	}

  109. 

  110. 	location, err := h.oauthClient.buildLoginURL(state)

  111. 	if err != nil {

  112. 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}

  113. 	}

  114. 	return impart.HTTPError{http.StatusTemporaryRedirect, location}

  115. }

  116. 

  117. func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {

  118. 	if app.Config().SlackOauth.ClientID != "" {

  119. 		callbackLocation := app.Config().App.Host + "/oauth/callback/slack"

  120. 

  121. 		var stateRegisterClient *callbackProxyClient = nil

  122. 		if app.Config().SlackOauth.CallbackProxyAPI != "" {

  123. 			stateRegisterClient = &callbackProxyClient{

  124. 				server:           app.Config().SlackOauth.CallbackProxyAPI,

  125. 				callbackLocation: app.Config().App.Host + "/oauth/callback/slack",

  126. 				httpClient:       config.DefaultHTTPClient(),

  127. 			}

  128. 			callbackLocation = app.Config().SlackOauth.CallbackProxy

  129. 		}

  130. 		oauthClient := slackOauthClient{

  131. 			ClientID:         app.Config().SlackOauth.ClientID,

  132. 			ClientSecret:     app.Config().SlackOauth.ClientSecret,

  133. 			TeamID:           app.Config().SlackOauth.TeamID,

  134. 			HttpClient:       config.DefaultHTTPClient(),

  135. 			CallbackLocation: callbackLocation,

  136. 		}

  137. 		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)

  138. 	}

  139. }

  140. 

  141. func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {

  142. 	if app.Config().WriteAsOauth.ClientID != "" {

  143. 		callbackLocation := app.Config().App.Host + "/oauth/callback/write.as"

  144. 

  145. 		var callbackProxy *callbackProxyClient = nil

  146. 		if app.Config().WriteAsOauth.CallbackProxy != "" {

  147. 			callbackProxy = &callbackProxyClient{

  148. 				server:           app.Config().WriteAsOauth.CallbackProxyAPI,

  149. 				callbackLocation: app.Config().App.Host + "/oauth/callback/write.as",

  150. 				httpClient:       config.DefaultHTTPClient(),

  151. 			}

  152. 			callbackLocation = app.Config().WriteAsOauth.CallbackProxy

  153. 		}

  154. 

  155. 		oauthClient := writeAsOauthClient{

  156. 			ClientID:         app.Config().WriteAsOauth.ClientID,

  157. 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,

  158. 			ExchangeLocation: config.OrDefaultString(app.Config().WriteAsOauth.TokenLocation, writeAsExchangeLocation),

  159. 			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),

  160. 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),

  161. 			HttpClient:       config.DefaultHTTPClient(),

  162. 			CallbackLocation: callbackLocation,

  163. 		}

  164. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  165. 	}

  166. }

  167. 

  168. func configureGitlabOauth(parentHandler *Handler, r *mux.Router, app *App) {

  169. 	if app.Config().GitlabOauth.ClientID != "" {

  170. 		callbackLocation := app.Config().App.Host + "/oauth/callback/gitlab"

  171. 

  172. 		var callbackProxy *callbackProxyClient = nil

  173. 		if app.Config().GitlabOauth.CallbackProxy != "" {

  174. 			callbackProxy = &callbackProxyClient{

  175. 				server:           app.Config().GitlabOauth.CallbackProxyAPI,

  176. 				callbackLocation: app.Config().App.Host + "/oauth/callback/gitlab",

  177. 				httpClient:       config.DefaultHTTPClient(),

  178. 			}

  179. 			callbackLocation = app.Config().GitlabOauth.CallbackProxy

  180. 		}

  181. 

  182. 		oauthClient := gitlabOauthClient{

  183. 			ClientID:         app.Config().GitlabOauth.ClientID,

  184. 			ClientSecret:     app.Config().GitlabOauth.ClientSecret,

  185. 			ExchangeLocation: config.OrDefaultString(app.Config().GitlabOauth.TokenLocation, writeAsExchangeLocation),

  186. 			InspectLocation:  config.OrDefaultString(app.Config().GitlabOauth.InspectLocation, writeAsIdentityLocation),

  187. 			AuthLocation:     config.OrDefaultString(app.Config().GitlabOauth.AuthLocation, writeAsAuthLocation),

  188. 			HttpClient:       config.DefaultHTTPClient(),

  189. 			CallbackLocation: callbackLocation,

  190. 		}

  191. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  192. 	}

  193. }

  194. 

  195. func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, callbackProxy *callbackProxyClient) {

  196. 	handler := &oauthHandler{

  197. 		Config:        app.Config(),

  198. 		DB:            app.DB(),

  199. 		Store:         app.SessionStore(),

  200. 		oauthClient:   oauthClient,

  201. 		EmailKey:      app.keys.EmailKey,

  202. 		callbackProxy: callbackProxy,

  203. 	}

  204. 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")

  205. 	r.HandleFunc("/oauth/callback/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")

  206. 	r.HandleFunc("/oauth/signup", parentHandler.OAuth(handler.viewOauthSignup)).Methods("POST")

  207. }

  208. 

  209. func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http.Request) error {

  210. 	ctx := r.Context()

  211. 

  212. 	code := r.FormValue("code")

  213. 	state := r.FormValue("state")

  214. 

  215. 	provider, clientID, err := h.DB.ValidateOAuthState(ctx, state)

  216. 	if err != nil {

  217. 		log.Error("Unable to ValidateOAuthState: %s", err)

  218. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  219. 	}

  220. 

  221. 	tokenResponse, err := h.oauthClient.exchangeOauthCode(ctx, code)

  222. 	if err != nil {

  223. 		log.Error("Unable to exchangeOauthCode: %s", err)

  224. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  225. 	}

  226. 

  227. 	// Now that we have the access token, let's use it real quick to make sur

  228. 	// it really really works.

  229. 	tokenInfo, err := h.oauthClient.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)

  230. 	if err != nil {

  231. 		log.Error("Unable to inspectOauthAccessToken: %s", err)

  232. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  233. 	}

  234. 

  235. 	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID, provider, clientID)

  236. 	if err != nil {

  237. 		log.Error("Unable to GetIDForRemoteUser: %s", err)

  238. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  239. 	}

  240. 

  241. 	if localUserID != -1 {

  242. 		user, err := h.DB.GetUserByID(localUserID)

  243. 		if err != nil {

  244. 			log.Error("Unable to GetUserByID %d: %s", localUserID, err)

  245. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  246. 		}

  247. 		if err = loginOrFail(h.Store, w, r, user); err != nil {

  248. 			log.Error("Unable to loginOrFail %d: %s", localUserID, err)

  249. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  250. 		}

  251. 		return nil

  252. 	}

  253. 

  254. 	displayName := tokenInfo.DisplayName

  255. 	if len(displayName) == 0 {

  256. 		displayName = tokenInfo.Username

  257. 	}

  258. 

  259. 	tp := &oauthSignupPageParams{

  260. 		AccessToken:     tokenResponse.AccessToken,

  261. 		TokenUsername:   tokenInfo.Username,

  262. 		TokenAlias:      tokenInfo.DisplayName,

  263. 		TokenEmail:      tokenInfo.Email,

  264. 		TokenRemoteUser: tokenInfo.UserID,

  265. 		Provider:        provider,

  266. 		ClientID:        clientID,

  267. 	}

  268. 	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)

  269. 

  270. 	return h.showOauthSignupPage(app, w, r, tp, nil)

  271. }

  272. 

  273. func (r *callbackProxyClient) register(ctx context.Context, state string) error {

  274. 	form := url.Values{}

  275. 	form.Add("state", state)

  276. 	form.Add("location", r.callbackLocation)

  277. 	req, err := http.NewRequestWithContext(ctx, "POST", r.server, strings.NewReader(form.Encode()))

  278. 	if err != nil {

  279. 		return err

  280. 	}

  281. 	req.Header.Set("User-Agent", "writefreely")

  282. 	req.Header.Set("Accept", "application/json")

  283. 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

  284. 

  285. 	resp, err := r.httpClient.Do(req)

  286. 	if err != nil {

  287. 		return err

  288. 	}

  289. 	if resp.StatusCode != http.StatusCreated {

  290. 		return fmt.Errorf("unable register state location: %d", resp.StatusCode)

  291. 	}

  292. 

  293. 	return nil

  294. }

  295. 

  296. func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {

  297. 	lr := io.LimitReader(body, int64(n+1))

  298. 	data, err := ioutil.ReadAll(lr)

  299. 	if err != nil {

  300. 		return err

  301. 	}

  302. 	if len(data) == n+1 {

  303. 		return fmt.Errorf("content larger than max read allowance: %d", n)

  304. 	}

  305. 	return json.Unmarshal(data, thing)

  306. }

  307. 

  308. func loginOrFail(store sessions.Store, w http.ResponseWriter, r *http.Request, user *User) error {

  309. 	// An error may be returned, but a valid session should always be returned.

  310. 	session, _ := store.Get(r, cookieName)

  311. 	session.Values[cookieUserVal] = user.Cookie()

  312. 	if err := session.Save(r, w); err != nil {

  313. 		fmt.Println("error saving session", err)

  314. 		return err

  315. 	}

  316. 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)

  317. 	return nil

  318. }