wangwei
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
7223 Commits
197 Branches
346 MB
572 Download
Tree: e777c6bdc6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e777c6bdc6'
${ noResults }
aiforge/routers/user/oauth.go

oauth.go 15 kB
Raw Normal View History

Integrate OAuth2 Provider (#5378)
6 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"fmt"

  9. 	"net/url"

  10. 

  11. 	"github.com/dgrijalva/jwt-go"

  12. 	"github.com/go-macaron/binding"

  13. 

  14. 	"code.gitea.io/gitea/models"

  15. 	"code.gitea.io/gitea/modules/auth"

  16. 	"code.gitea.io/gitea/modules/base"

  17. 	"code.gitea.io/gitea/modules/context"

  18. 	"code.gitea.io/gitea/modules/log"

  19. 	"code.gitea.io/gitea/modules/setting"

  20. 	"code.gitea.io/gitea/modules/util"

  21. )

  22. 

  23. const (

  24. 	tplGrantAccess base.TplName = "user/auth/grant"

  25. 	tplGrantError  base.TplName = "user/auth/grant_error"

  26. )

  27. 

  28. // TODO move error and responses to SDK or models

  29. 

  30. // AuthorizeErrorCode represents an error code specified in RFC 6749

  31. type AuthorizeErrorCode string

  32. 

  33. const (

  34. 	// ErrorCodeInvalidRequest represents the according error in RFC 6749

  35. 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"

  36. 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749

  37. 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"

  38. 	// ErrorCodeAccessDenied represents the according error in RFC 6749

  39. 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"

  40. 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749

  41. 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"

  42. 	// ErrorCodeInvalidScope represents the according error in RFC 6749

  43. 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"

  44. 	// ErrorCodeServerError represents the according error in RFC 6749

  45. 	ErrorCodeServerError AuthorizeErrorCode = "server_error"

  46. 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749

  47. 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"

  48. )

  49. 

  50. // AuthorizeError represents an error type specified in RFC 6749

  51. type AuthorizeError struct {

  52. 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`

  53. 	ErrorDescription string

  54. 	State            string

  55. }

  56. 

  57. // Error returns the error message

  58. func (err AuthorizeError) Error() string {

  59. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  60. }

  61. 

  62. // AccessTokenErrorCode represents an error code specified in RFC 6749

  63. type AccessTokenErrorCode string

  64. 

  65. const (

  66. 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749

  67. 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"

  68. 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749

  69. 	AccessTokenErrorCodeInvalidClient = "invalid_client"

  70. 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749

  71. 	AccessTokenErrorCodeInvalidGrant = "invalid_grant"

  72. 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749

  73. 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"

  74. 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749

  75. 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"

  76. 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749

  77. 	AccessTokenErrorCodeInvalidScope = "invalid_scope"

  78. )

  79. 

  80. // AccessTokenError represents an error response specified in RFC 6749

  81. type AccessTokenError struct {

  82. 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`

  83. 	ErrorDescription string               `json:"error_description"`

  84. }

  85. 

  86. // Error returns the error message

  87. func (err AccessTokenError) Error() string {

  88. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  89. }

  90. 

  91. // TokenType specifies the kind of token

  92. type TokenType string

  93. 

  94. const (

  95. 	// TokenTypeBearer represents a token type specified in RFC 6749

  96. 	TokenTypeBearer TokenType = "bearer"

  97. 	// TokenTypeMAC represents a token type specified in RFC 6749

  98. 	TokenTypeMAC = "mac"

  99. )

  100. 

  101. // AccessTokenResponse represents a successful access token response

  102. type AccessTokenResponse struct {

  103. 	AccessToken string    `json:"access_token"`

  104. 	TokenType   TokenType `json:"token_type"`

  105. 	ExpiresIn   int64     `json:"expires_in"`

  106. 	// TODO implement RefreshToken

  107. 	RefreshToken string `json:"refresh_token"`

  108. }

  109. 

  110. func newAccessTokenResponse(grant *models.OAuth2Grant) (*AccessTokenResponse, *AccessTokenError) {

  111. 	if err := grant.IncreaseCounter(); err != nil {

  112. 		return nil, &AccessTokenError{

  113. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  114. 			ErrorDescription: "cannot increase the grant counter",

  115. 		}

  116. 	}

  117. 	// generate access token to access the API

  118. 	expirationDate := util.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)

  119. 	accessToken := &models.OAuth2Token{

  120. 		GrantID: grant.ID,

  121. 		Type:    models.TypeAccessToken,

  122. 		StandardClaims: jwt.StandardClaims{

  123. 			ExpiresAt: expirationDate.AsTime().Unix(),

  124. 		},

  125. 	}

  126. 	signedAccessToken, err := accessToken.SignToken()

  127. 	if err != nil {

  128. 		return nil, &AccessTokenError{

  129. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  130. 			ErrorDescription: "cannot sign token",

  131. 		}

  132. 	}

  133. 

  134. 	// generate refresh token to request an access token after it expired later

  135. 	refreshExpirationDate := util.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()

  136. 	refreshToken := &models.OAuth2Token{

  137. 		GrantID: grant.ID,

  138. 		Counter: grant.Counter,

  139. 		Type:    models.TypeRefreshToken,

  140. 		StandardClaims: jwt.StandardClaims{

  141. 			ExpiresAt: refreshExpirationDate,

  142. 		},

  143. 	}

  144. 	signedRefreshToken, err := refreshToken.SignToken()

  145. 	if err != nil {

  146. 		return nil, &AccessTokenError{

  147. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  148. 			ErrorDescription: "cannot sign token",

  149. 		}

  150. 	}

  151. 

  152. 	return &AccessTokenResponse{

  153. 		AccessToken:  signedAccessToken,

  154. 		TokenType:    TokenTypeBearer,

  155. 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,

  156. 		RefreshToken: signedRefreshToken,

  157. 	}, nil

  158. }

  159. 

  160. // AuthorizeOAuth manages authorize requests

  161. func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {

  162. 	errs := binding.Errors{}

  163. 	errs = form.Validate(ctx.Context, errs)

  164. 

  165. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  166. 	if err != nil {

  167. 		if models.IsErrOauthClientIDInvalid(err) {

  168. 			handleAuthorizeError(ctx, AuthorizeError{

  169. 				ErrorCode:        ErrorCodeUnauthorizedClient,

  170. 				ErrorDescription: "Client ID not registered",

  171. 				State:            form.State,

  172. 			}, "")

  173. 			return

  174. 		}

  175. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  176. 		return

  177. 	}

  178. 	if err := app.LoadUser(); err != nil {

  179. 		ctx.ServerError("LoadUser", err)

  180. 		return

  181. 	}

  182. 

  183. 	if !app.ContainsRedirectURI(form.RedirectURI) {

  184. 		handleAuthorizeError(ctx, AuthorizeError{

  185. 			ErrorCode:        ErrorCodeInvalidRequest,

  186. 			ErrorDescription: "Unregistered Redirect URI",

  187. 			State:            form.State,

  188. 		}, "")

  189. 		return

  190. 	}

  191. 

  192. 	if form.ResponseType != "code" {

  193. 		handleAuthorizeError(ctx, AuthorizeError{

  194. 			ErrorCode:        ErrorCodeUnsupportedResponseType,

  195. 			ErrorDescription: "Only code response type is supported.",

  196. 			State:            form.State,

  197. 		}, form.RedirectURI)

  198. 		return

  199. 	}

  200. 

  201. 	// pkce support

  202. 	switch form.CodeChallengeMethod {

  203. 	case "S256":

  204. 	case "plain":

  205. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {

  206. 			handleAuthorizeError(ctx, AuthorizeError{

  207. 				ErrorCode:        ErrorCodeServerError,

  208. 				ErrorDescription: "cannot set code challenge method",

  209. 				State:            form.State,

  210. 			}, form.RedirectURI)

  211. 			return

  212. 		}

  213. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {

  214. 			handleAuthorizeError(ctx, AuthorizeError{

  215. 				ErrorCode:        ErrorCodeServerError,

  216. 				ErrorDescription: "cannot set code challenge",

  217. 				State:            form.State,

  218. 			}, form.RedirectURI)

  219. 			return

  220. 		}

  221. 		break

  222. 	case "":

  223. 		break

  224. 	default:

  225. 		handleAuthorizeError(ctx, AuthorizeError{

  226. 			ErrorCode:        ErrorCodeInvalidRequest,

  227. 			ErrorDescription: "unsupported code challenge method",

  228. 			State:            form.State,

  229. 		}, form.RedirectURI)

  230. 		return

  231. 	}

  232. 

  233. 	grant, err := app.GetGrantByUserID(ctx.User.ID)

  234. 	if err != nil {

  235. 		handleServerError(ctx, form.State, form.RedirectURI)

  236. 		return

  237. 	}

  238. 

  239. 	// Redirect if user already granted access

  240. 	if grant != nil {

  241. 		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)

  242. 		if err != nil {

  243. 			handleServerError(ctx, form.State, form.RedirectURI)

  244. 			return

  245. 		}

  246. 		redirect, err := code.GenerateRedirectURI(form.State)

  247. 		if err != nil {

  248. 			handleServerError(ctx, form.State, form.RedirectURI)

  249. 			return

  250. 		}

  251. 		ctx.Redirect(redirect.String(), 302)

  252. 		return

  253. 	}

  254. 

  255. 	// show authorize page to grant access

  256. 	ctx.Data["Application"] = app

  257. 	ctx.Data["RedirectURI"] = form.RedirectURI

  258. 	ctx.Data["State"] = form.State

  259. 	ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.LocalURL + app.User.LowerName + "\">@" + app.User.Name + "</a>"

  260. 	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>"

  261. 	// TODO document SESSION <=> FORM

  262. 	ctx.Session.Set("client_id", app.ClientID)

  263. 	ctx.Session.Set("redirect_uri", form.RedirectURI)

  264. 	ctx.Session.Set("state", form.State)

  265. 	ctx.HTML(200, tplGrantAccess)

  266. }

  267. 

  268. // GrantApplicationOAuth manages the post request submitted when a user grants access to an application

  269. func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm) {

  270. 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||

  271. 		ctx.Session.Get("redirect_uri") != form.RedirectURI {

  272. 		ctx.Error(400)

  273. 		return

  274. 	}

  275. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  276. 	if err != nil {

  277. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  278. 		return

  279. 	}

  280. 	grant, err := app.CreateGrant(ctx.User.ID)

  281. 	if err != nil {

  282. 		handleAuthorizeError(ctx, AuthorizeError{

  283. 			State:            form.State,

  284. 			ErrorDescription: "cannot create grant for user",

  285. 			ErrorCode:        ErrorCodeServerError,

  286. 		}, form.RedirectURI)

  287. 		return

  288. 	}

  289. 

  290. 	var codeChallenge, codeChallengeMethod string

  291. 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)

  292. 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)

  293. 

  294. 	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)

  295. 	if err != nil {

  296. 		handleServerError(ctx, form.State, form.RedirectURI)

  297. 		return

  298. 	}

  299. 	redirect, err := code.GenerateRedirectURI(form.State)

  300. 	if err != nil {

  301. 		handleServerError(ctx, form.State, form.RedirectURI)

  302. 	}

  303. 	ctx.Redirect(redirect.String(), 302)

  304. }

  305. 

  306. // AccessTokenOAuth manages all access token requests by the client

  307. func AccessTokenOAuth(ctx *context.Context, form auth.AccessTokenForm) {

  308. 	switch form.GrantType {

  309. 	case "refresh_token":

  310. 		handleRefreshToken(ctx, form)

  311. 		return

  312. 	case "authorization_code":

  313. 		handleAuthorizationCode(ctx, form)

  314. 		return

  315. 	default:

  316. 		handleAccessTokenError(ctx, AccessTokenError{

  317. 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,

  318. 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",

  319. 		})

  320. 	}

  321. }

  322. 

  323. func handleRefreshToken(ctx *context.Context, form auth.AccessTokenForm) {

  324. 	token, err := models.ParseOAuth2Token(form.RefreshToken)

  325. 	if err != nil {

  326. 		handleAccessTokenError(ctx, AccessTokenError{

  327. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  328. 			ErrorDescription: "client is not authorized",

  329. 		})

  330. 		return

  331. 	}

  332. 	// get grant before increasing counter

  333. 	grant, err := models.GetOAuth2GrantByID(token.GrantID)

  334. 	if err != nil || grant == nil {

  335. 		handleAccessTokenError(ctx, AccessTokenError{

  336. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  337. 			ErrorDescription: "grant does not exist",

  338. 		})

  339. 		return

  340. 	}

  341. 

  342. 	// check if token got already used

  343. 	if grant.Counter != token.Counter || token.Counter == 0 {

  344. 		handleAccessTokenError(ctx, AccessTokenError{

  345. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  346. 			ErrorDescription: "token was already used",

  347. 		})

  348. 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)

  349. 		return

  350. 	}

  351. 	accessToken, tokenErr := newAccessTokenResponse(grant)

  352. 	if tokenErr != nil {

  353. 		handleAccessTokenError(ctx, *tokenErr)

  354. 		return

  355. 	}

  356. 	ctx.JSON(200, accessToken)

  357. }

  358. 

  359. func handleAuthorizationCode(ctx *context.Context, form auth.AccessTokenForm) {

  360. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  361. 	if err != nil {

  362. 		handleAccessTokenError(ctx, AccessTokenError{

  363. 			ErrorCode:        AccessTokenErrorCodeInvalidClient,

  364. 			ErrorDescription: "cannot load client",

  365. 		})

  366. 		return

  367. 	}

  368. 	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

  369. 		handleAccessTokenError(ctx, AccessTokenError{

  370. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  371. 			ErrorDescription: "client is not authorized",

  372. 		})

  373. 		return

  374. 	}

  375. 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {

  376. 		handleAccessTokenError(ctx, AccessTokenError{

  377. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  378. 			ErrorDescription: "client is not authorized",

  379. 		})

  380. 		return

  381. 	}

  382. 	authorizationCode, err := models.GetOAuth2AuthorizationByCode(form.Code)

  383. 	if err != nil || authorizationCode == nil {

  384. 		handleAccessTokenError(ctx, AccessTokenError{

  385. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  386. 			ErrorDescription: "client is not authorized",

  387. 		})

  388. 		return

  389. 	}

  390. 	// check if code verifier authorizes the client, PKCE support

  391. 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {

  392. 		handleAccessTokenError(ctx, AccessTokenError{

  393. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  394. 			ErrorDescription: "client is not authorized",

  395. 		})

  396. 		return

  397. 	}

  398. 	// check if granted for this application

  399. 	if authorizationCode.Grant.ApplicationID != app.ID {

  400. 		handleAccessTokenError(ctx, AccessTokenError{

  401. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  402. 			ErrorDescription: "invalid grant",

  403. 		})

  404. 		return

  405. 	}

  406. 	// remove token from database to deny duplicate usage

  407. 	if err := authorizationCode.Invalidate(); err != nil {

  408. 		handleAccessTokenError(ctx, AccessTokenError{

  409. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  410. 			ErrorDescription: "cannot proceed your request",

  411. 		})

  412. 	}

  413. 	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant)

  414. 	if tokenErr != nil {

  415. 		handleAccessTokenError(ctx, *tokenErr)

  416. 		return

  417. 	}

  418. 	// send successful response

  419. 	ctx.JSON(200, resp)

  420. }

  421. 

  422. func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {

  423. 	ctx.JSON(400, acErr)

  424. }

  425. 

  426. func handleServerError(ctx *context.Context, state string, redirectURI string) {

  427. 	handleAuthorizeError(ctx, AuthorizeError{

  428. 		ErrorCode:        ErrorCodeServerError,

  429. 		ErrorDescription: "A server error occurred",

  430. 		State:            state,

  431. 	}, redirectURI)

  432. }

  433. 

  434. func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {

  435. 	if redirectURI == "" {

  436. 		log.Warn("Authorization failed: %v", authErr.ErrorDescription)

  437. 		ctx.Data["Error"] = authErr

  438. 		ctx.HTML(400, tplGrantError)

  439. 		return

  440. 	}

  441. 	redirect, err := url.Parse(redirectURI)

  442. 	if err != nil {

  443. 		ctx.ServerError("url.Parse", err)

  444. 		return

  445. 	}

  446. 	q := redirect.Query()

  447. 	q.Set("error", string(authErr.ErrorCode))

  448. 	q.Set("error_description", authErr.ErrorDescription)

  449. 	q.Set("state", authErr.State)

  450. 	redirect.RawQuery = q.Encode()

  451. 	ctx.Redirect(redirect.String(), 302)

  452. }

No Description