4
0

restapi_auth_oauth2.go 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393
  1. package otoauth2
  2. import (
  3. "context"
  4. "crypto/rand"
  5. "crypto/tls"
  6. "crypto/x509"
  7. "encoding/base64"
  8. "encoding/json"
  9. "fmt"
  10. "io"
  11. "net/http"
  12. "os"
  13. "time"
  14. authTypes "github.com/OliveTin/OliveTin/internal/auth/authpublic"
  15. config "github.com/OliveTin/OliveTin/internal/config"
  16. log "github.com/sirupsen/logrus"
  17. "golang.org/x/oauth2"
  18. )
  19. type OAuth2Handler struct {
  20. cfg *config.Config
  21. registeredStates map[string]*oauth2State
  22. registeredProviders map[string]*oauth2.Config
  23. }
  24. func NewOAuth2Handler(cfg *config.Config) *OAuth2Handler {
  25. h := &OAuth2Handler{
  26. cfg: cfg,
  27. }
  28. h.registeredStates = make(map[string]*oauth2State)
  29. h.registeredProviders = make(map[string]*oauth2.Config)
  30. for providerName, providerConfig := range cfg.AuthOAuth2Providers {
  31. completeProviderConfig(providerName, providerConfig)
  32. newConfig := &oauth2.Config{
  33. ClientID: providerConfig.ClientID,
  34. ClientSecret: providerConfig.ClientSecret,
  35. Scopes: providerConfig.Scopes,
  36. Endpoint: oauth2.Endpoint{
  37. AuthURL: providerConfig.AuthUrl,
  38. TokenURL: providerConfig.TokenUrl,
  39. },
  40. RedirectURL: cfg.AuthOAuth2RedirectURL,
  41. }
  42. h.registeredProviders[providerName] = newConfig
  43. log.Debugf("Dumping newly registered provider: %v = %+v", providerName, providerConfig)
  44. }
  45. return h
  46. }
  47. type oauth2State struct {
  48. providerConfig *oauth2.Config
  49. providerName string
  50. Username string
  51. Usergroup string
  52. }
  53. func assignIfEmpty(target *string, value string) {
  54. if *target == "" {
  55. *target = value
  56. }
  57. }
  58. func completeProviderConfig(providerName string, providerConfig *config.OAuth2Provider) {
  59. dbConfig, ok := oauth2ProviderDatabase[providerName]
  60. if ok {
  61. assignIfEmpty(&providerConfig.Name, dbConfig.Name)
  62. assignIfEmpty(&providerConfig.Title, dbConfig.Title)
  63. assignIfEmpty(&providerConfig.WhoamiUrl, dbConfig.WhoamiUrl)
  64. assignIfEmpty(&providerConfig.TokenUrl, dbConfig.TokenUrl)
  65. assignIfEmpty(&providerConfig.AuthUrl, dbConfig.AuthUrl)
  66. assignIfEmpty(&providerConfig.Icon, dbConfig.Icon)
  67. assignIfEmpty(&providerConfig.UsernameField, dbConfig.UsernameField)
  68. if providerConfig.Scopes == nil {
  69. providerConfig.Scopes = dbConfig.Scopes
  70. }
  71. } else {
  72. log.Warnf("Provider not found in database: %v", providerName)
  73. }
  74. }
  75. func (h *OAuth2Handler) getOAuth2Config(providerName string) (*oauth2.Config, error) {
  76. config, ok := h.registeredProviders[providerName]
  77. if !ok {
  78. return nil, fmt.Errorf("provider not found in config: %v", providerName)
  79. }
  80. return config, nil
  81. }
  82. func randString(nByte int) (string, error) {
  83. b := make([]byte, nByte)
  84. if _, err := io.ReadFull(rand.Reader, b); err != nil {
  85. return "", err
  86. }
  87. return base64.URLEncoding.EncodeToString(b), nil
  88. }
  89. func (h *OAuth2Handler) setOAuthCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {
  90. cookie := &http.Cookie{
  91. Name: name,
  92. Value: value,
  93. MaxAge: 900, // 15 minutes
  94. Secure: r.TLS != nil,
  95. HttpOnly: true,
  96. Path: "/",
  97. }
  98. http.SetCookie(w, cookie)
  99. }
  100. func (h *OAuth2Handler) HandleOAuthLogin(w http.ResponseWriter, r *http.Request) {
  101. state, err := randString(16)
  102. if err != nil {
  103. http.Error(w, err.Error(), http.StatusInternalServerError)
  104. return
  105. }
  106. providerName := r.URL.Query().Get("provider")
  107. provider, err := h.getOAuth2Config(providerName)
  108. if err != nil {
  109. log.Errorf("Failed to get provider config: %v %v", providerName, err)
  110. http.Error(w, err.Error(), http.StatusBadRequest)
  111. return
  112. }
  113. h.registeredStates[state] = &oauth2State{
  114. providerConfig: provider,
  115. providerName: providerName,
  116. Username: "",
  117. }
  118. h.setOAuthCallbackCookie(w, r, "olivetin-sid-oauth", state)
  119. log.Infof("OAuth2 state: %v mapped to provider %v (found: %v), now redirecting", state, providerName, provider != nil)
  120. http.Redirect(w, r, provider.AuthCodeURL(state), http.StatusFound)
  121. }
  122. func (h *OAuth2Handler) validateStateMatch(queryState, cookieState string) bool {
  123. return queryState == cookieState
  124. }
  125. func (h *OAuth2Handler) checkOAuthCallbackCookie(w http.ResponseWriter, r *http.Request) (*oauth2State, string, bool) {
  126. cookie, err := r.Cookie("olivetin-sid-oauth")
  127. if err != nil {
  128. log.Errorf("Failed to get state cookie: %v", err)
  129. http.Error(w, "State not found", http.StatusBadRequest)
  130. return nil, "", false
  131. }
  132. state := cookie.Value
  133. if !h.validateStateMatch(r.URL.Query().Get("state"), state) {
  134. log.Errorf("State mismatch: %v != %v", r.URL.Query().Get("state"), state)
  135. http.Error(w, "State mismatch", http.StatusBadRequest)
  136. return nil, state, false
  137. }
  138. registeredState, ok := h.registeredStates[state]
  139. if !ok {
  140. log.Errorf("State not found in server: %v", state)
  141. http.Error(w, "State not found in server", http.StatusBadRequest)
  142. return nil, state, false
  143. }
  144. return registeredState, state, true
  145. }
  146. type HttpClientSettings struct {
  147. Transport *http.Transport
  148. Timeout time.Duration
  149. }
  150. func getOAuth2HttpClient(providerConfig *config.OAuth2Provider) *HttpClientSettings {
  151. config := &HttpClientSettings{
  152. Transport: &http.Transport{
  153. TLSClientConfig: &tls.Config{InsecureSkipVerify: providerConfig.InsecureSkipVerify},
  154. },
  155. Timeout: time.Duration(min(3, providerConfig.CallbackTimeout)) * time.Second,
  156. }
  157. if providerConfig.CertBundlePath != "" {
  158. config.Transport.TLSClientConfig.RootCAs = getOAuthCertBundle(providerConfig)
  159. }
  160. return config
  161. }
  162. func getOAuthCertBundle(providerConfig *config.OAuth2Provider) *x509.CertPool {
  163. caCert, err := os.ReadFile(providerConfig.CertBundlePath)
  164. if err != nil {
  165. log.Errorf("OAuth2 Cert Bundle - failed to read file: %v", err)
  166. return nil
  167. }
  168. caCertPool := x509.NewCertPool()
  169. if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
  170. log.Errorf("OAuth2 Cert Bundle - failed to append certificates from PEM")
  171. }
  172. return caCertPool
  173. }
  174. func (h *OAuth2Handler) exchangeOAuthCode(ctx context.Context, providerConfig *oauth2.Config, code string, clientSettings *HttpClientSettings) (*oauth2.Token, error) {
  175. exchangeClient := &http.Client{
  176. Transport: clientSettings.Transport,
  177. Timeout: clientSettings.Timeout,
  178. }
  179. ctx = context.WithValue(ctx, oauth2.HTTPClient, exchangeClient)
  180. return providerConfig.Exchange(ctx, code)
  181. }
  182. func (h *OAuth2Handler) createUserInfoClient(ctx context.Context, providerConfig *oauth2.Config, tok *oauth2.Token, clientSettings *HttpClientSettings) *http.Client {
  183. return &http.Client{
  184. Transport: &oauth2.Transport{
  185. Source: providerConfig.TokenSource(ctx, tok),
  186. Base: clientSettings.Transport,
  187. },
  188. Timeout: clientSettings.Timeout,
  189. }
  190. }
  191. func (h *OAuth2Handler) computeUsergroup(userinfo *UserInfo, providerConfig *config.OAuth2Provider) string {
  192. usergroup := userinfo.Usergroup
  193. if providerConfig != nil && providerConfig.AddToUsergroup != "" {
  194. if usergroup != "" {
  195. usergroup = usergroup + " " + providerConfig.AddToUsergroup
  196. } else {
  197. usergroup = providerConfig.AddToUsergroup
  198. }
  199. }
  200. return usergroup
  201. }
  202. func (h *OAuth2Handler) HandleOAuthCallback(w http.ResponseWriter, r *http.Request) {
  203. log.Infof("OAuth2 Callback received")
  204. registeredState, state, ok := h.checkOAuthCallbackCookie(w, r)
  205. if !ok {
  206. return
  207. }
  208. code := r.FormValue("code")
  209. log.WithFields(log.Fields{
  210. "state": state,
  211. "token-code": code,
  212. }).Debug("OAuth2 Token Code")
  213. providerConfig := h.cfg.AuthOAuth2Providers[registeredState.providerName]
  214. clientSettings := getOAuth2HttpClient(providerConfig)
  215. ctx := context.Background()
  216. tok, err := h.exchangeOAuthCode(ctx, registeredState.providerConfig, code, clientSettings)
  217. if err != nil {
  218. log.Errorf("Failed to exchange code: %v", err)
  219. http.Error(w, "Failed to exchange code", http.StatusBadRequest)
  220. return
  221. }
  222. userInfoClient := h.createUserInfoClient(ctx, registeredState.providerConfig, tok, clientSettings)
  223. userinfo := getUserInfo(h.cfg, userInfoClient, providerConfig)
  224. h.registeredStates[state].Username = userinfo.Username
  225. h.registeredStates[state].Usergroup = h.computeUsergroup(userinfo, providerConfig)
  226. http.Redirect(w, r, "/", http.StatusFound)
  227. }
  228. type UserInfo struct {
  229. Username string
  230. Usergroup string
  231. }
  232. //gocyclo:ignore
  233. func getUserInfo(cfg *config.Config, client *http.Client, provider *config.OAuth2Provider) *UserInfo {
  234. ret := &UserInfo{}
  235. res, err := client.Get(provider.WhoamiUrl)
  236. if err != nil {
  237. log.Errorf("Failed to get user data: %v", err)
  238. return ret
  239. }
  240. if res.StatusCode != http.StatusOK {
  241. log.Errorf("Failed to get user data: %v", res.StatusCode)
  242. return ret
  243. }
  244. defer res.Body.Close()
  245. contents, err := io.ReadAll(res.Body)
  246. if err != nil {
  247. log.Errorf("Failed to read user data: %v", err)
  248. return ret
  249. }
  250. var userData map[string]any
  251. if cfg.InsecureAllowDumpOAuth2UserData {
  252. log.Debugf("OAuth2 User Data: %v+", string(contents))
  253. }
  254. err = json.Unmarshal([]byte(contents), &userData)
  255. if err != nil {
  256. log.Errorf("Failed to unmarshal user data: %v", err)
  257. return ret
  258. }
  259. ret.Username = getDataField(userData, provider.UsernameField)
  260. ret.Usergroup = getDataField(userData, provider.UserGroupField)
  261. return ret
  262. }
  263. func getDataField(data map[string]any, field string) string {
  264. if field == "" {
  265. return ""
  266. }
  267. val, ok := data[field]
  268. if !ok {
  269. log.Errorf("Failed to get field from user data: %v / %v", data, field)
  270. return ""
  271. }
  272. stringVal, ok := val.(string)
  273. if !ok {
  274. log.Errorf("Field %v is not a string: %v", field, val)
  275. return ""
  276. }
  277. return stringVal
  278. }
  279. func (h *OAuth2Handler) CheckUserFromOAuth2Cookie(context *authTypes.AuthCheckingContext) *authTypes.AuthenticatedUser {
  280. cookie, err := context.Request.Cookie("olivetin-sid-oauth")
  281. user := &authTypes.AuthenticatedUser{}
  282. if err != nil {
  283. return nil
  284. }
  285. if cookie.Value == "" {
  286. return nil
  287. }
  288. serverState, found := h.registeredStates[cookie.Value]
  289. if !found {
  290. log.WithFields(log.Fields{
  291. "sid": cookie.Value,
  292. "provider": "oauth2",
  293. }).Warnf("Stale session")
  294. return nil
  295. }
  296. user.Username = serverState.Username
  297. user.UsergroupLine = serverState.Usergroup
  298. user.Provider = "oauth2"
  299. user.SID = cookie.Value
  300. return user
  301. }