4
0

restapi_auth_oauth2.go 8.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370
  1. package httpservers
  2. import (
  3. "context"
  4. "crypto/rand"
  5. "crypto/tls"
  6. "crypto/x509"
  7. "encoding/base64"
  8. "encoding/json"
  9. "fmt"
  10. config "github.com/OliveTin/OliveTin/internal/config"
  11. log "github.com/sirupsen/logrus"
  12. "golang.org/x/oauth2"
  13. "io"
  14. "net/http"
  15. "os"
  16. "time"
  17. )
  18. var (
  19. registeredStates = make(map[string]*oauth2State)
  20. registeredProviders = make(map[string]*oauth2.Config)
  21. )
  22. type oauth2State struct {
  23. providerConfig *oauth2.Config
  24. providerName string
  25. Username string
  26. Usergroup string
  27. }
  28. func assignIfEmpty(target *string, value string) {
  29. if *target == "" {
  30. *target = value
  31. }
  32. }
  33. func oauth2Init(cfg *config.Config) {
  34. for providerName, providerConfig := range cfg.AuthOAuth2Providers {
  35. completeProviderConfig(providerName, providerConfig)
  36. newConfig := &oauth2.Config{
  37. ClientID: providerConfig.ClientID,
  38. ClientSecret: providerConfig.ClientSecret,
  39. Scopes: providerConfig.Scopes,
  40. Endpoint: oauth2.Endpoint{
  41. AuthURL: providerConfig.AuthUrl,
  42. TokenURL: providerConfig.TokenUrl,
  43. },
  44. RedirectURL: cfg.AuthOAuth2RedirectURL,
  45. }
  46. registeredProviders[providerName] = newConfig
  47. log.Debugf("Dumping newly registered provider: %v = %+v", providerName, providerConfig)
  48. }
  49. }
  50. func completeProviderConfig(providerName string, providerConfig *config.OAuth2Provider) {
  51. dbConfig, ok := oauth2ProviderDatabase[providerName]
  52. if ok {
  53. assignIfEmpty(&providerConfig.Name, dbConfig.Name)
  54. assignIfEmpty(&providerConfig.Title, dbConfig.Title)
  55. assignIfEmpty(&providerConfig.WhoamiUrl, dbConfig.WhoamiUrl)
  56. assignIfEmpty(&providerConfig.TokenUrl, dbConfig.TokenUrl)
  57. assignIfEmpty(&providerConfig.AuthUrl, dbConfig.AuthUrl)
  58. assignIfEmpty(&providerConfig.Icon, dbConfig.Icon)
  59. assignIfEmpty(&providerConfig.UsernameField, dbConfig.UsernameField)
  60. if providerConfig.Scopes == nil {
  61. providerConfig.Scopes = dbConfig.Scopes
  62. }
  63. } else {
  64. log.Warnf("Provider not found in database: %v", providerName)
  65. }
  66. }
  67. func getOAuth2Config(providerName string) (*oauth2.Config, error) {
  68. config, ok := registeredProviders[providerName]
  69. if !ok {
  70. return nil, fmt.Errorf("provider not found in config: %v", providerName)
  71. }
  72. return config, nil
  73. }
  74. func randString(nByte int) (string, error) {
  75. b := make([]byte, nByte)
  76. if _, err := io.ReadFull(rand.Reader, b); err != nil {
  77. return "", err
  78. }
  79. return base64.URLEncoding.EncodeToString(b), nil
  80. }
  81. func setOAuthCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {
  82. cookie := &http.Cookie{
  83. Name: name,
  84. Value: value,
  85. MaxAge: 31556952, // 1 year
  86. Secure: r.TLS != nil,
  87. HttpOnly: true,
  88. Path: "/",
  89. }
  90. http.SetCookie(w, cookie)
  91. }
  92. func handleOAuthLogin(w http.ResponseWriter, r *http.Request) {
  93. state, err := randString(16)
  94. if err != nil {
  95. http.Error(w, err.Error(), http.StatusInternalServerError)
  96. return
  97. }
  98. providerName := r.URL.Query().Get("provider")
  99. provider, err := getOAuth2Config(providerName)
  100. if err != nil {
  101. log.Errorf("Failed to get provider config: %v %v", providerName, err)
  102. http.Error(w, err.Error(), http.StatusBadRequest)
  103. return
  104. }
  105. registeredStates[state] = &oauth2State{
  106. providerConfig: provider,
  107. providerName: providerName,
  108. Username: "",
  109. }
  110. setOAuthCallbackCookie(w, r, "olivetin-sid-oauth", state)
  111. log.Infof("OAuth2 state: %v mapped to provider %v (found: %v), now redirecting", state, providerName, provider != nil)
  112. http.Redirect(w, r, provider.AuthCodeURL(state), http.StatusFound)
  113. }
  114. func checkOAuthCallbackCookie(w http.ResponseWriter, r *http.Request) (*oauth2State, string, bool) {
  115. cookie, err := r.Cookie("olivetin-sid-oauth")
  116. state := cookie.Value
  117. if err != nil {
  118. log.Errorf("Failed to get state cookie: %v", err)
  119. http.Error(w, "State not found", http.StatusBadRequest)
  120. return nil, state, false
  121. }
  122. if r.URL.Query().Get("state") != state {
  123. log.Errorf("State mismatch: %v != %v", r.URL.Query().Get("state"), state)
  124. http.Error(w, "State mismatch", http.StatusBadRequest)
  125. return nil, state, false
  126. }
  127. registeredState, ok := registeredStates[state]
  128. if !ok {
  129. log.Errorf("State not found in server: %v", state)
  130. http.Error(w, "State not found in server", http.StatusBadRequest)
  131. }
  132. return registeredState, state, true
  133. }
  134. type HttpClientSettings struct {
  135. Transport *http.Transport
  136. Timeout time.Duration
  137. }
  138. func getOAuth2HttpClient(providerConfig *config.OAuth2Provider) *HttpClientSettings {
  139. config := &HttpClientSettings{
  140. Transport: &http.Transport{
  141. TLSClientConfig: &tls.Config{InsecureSkipVerify: providerConfig.InsecureSkipVerify},
  142. },
  143. Timeout: time.Duration(min(3, providerConfig.CallbackTimeout)) * time.Second,
  144. }
  145. if providerConfig.CertBundlePath != "" {
  146. config.Transport.TLSClientConfig.RootCAs = getOAuthCertBundle(providerConfig)
  147. }
  148. return config
  149. }
  150. func getOAuthCertBundle(providerConfig *config.OAuth2Provider) *x509.CertPool {
  151. caCert, err := os.ReadFile(providerConfig.CertBundlePath)
  152. if err != nil {
  153. log.Errorf("OAuth2 Cert Bundle - failed to read file: %v", err)
  154. return nil
  155. }
  156. caCertPool := x509.NewCertPool()
  157. if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
  158. log.Errorf("OAuth2 Cert Bundle - failed to append certificates: %v", err)
  159. }
  160. return caCertPool
  161. }
  162. func handleOAuthCallback(w http.ResponseWriter, r *http.Request) {
  163. log.Infof("OAuth2 Callback received")
  164. registeredState, state, ok := checkOAuthCallbackCookie(w, r)
  165. if !ok {
  166. return
  167. }
  168. code := r.FormValue("code")
  169. log.WithFields(log.Fields{
  170. "state": state,
  171. "token-code": code,
  172. }).Debug("OAuth2 Token Code")
  173. providerConfig := cfg.AuthOAuth2Providers[registeredState.providerName]
  174. clientSettings := getOAuth2HttpClient(providerConfig)
  175. exchangeClient := &http.Client{
  176. Transport: clientSettings.Transport,
  177. Timeout: clientSettings.Timeout,
  178. }
  179. ctx := context.Background()
  180. ctx = context.WithValue(ctx, oauth2.HTTPClient, exchangeClient)
  181. tok, err := registeredState.providerConfig.Exchange(ctx, code)
  182. if err != nil {
  183. log.Errorf("Failed to exchange code: %v", err)
  184. http.Error(w, "Failed to exchange code", http.StatusBadRequest)
  185. return
  186. }
  187. userInfoClient := &http.Client{
  188. Transport: &oauth2.Transport{
  189. Source: registeredState.providerConfig.TokenSource(ctx, tok),
  190. Base: clientSettings.Transport,
  191. },
  192. Timeout: clientSettings.Timeout,
  193. }
  194. userinfo := getUserInfo(cfg, userInfoClient, cfg.AuthOAuth2Providers[registeredState.providerName])
  195. registeredStates[state].Username = userinfo.Username
  196. registeredStates[state].Usergroup = userinfo.Usergroup
  197. for k, v := range registeredStates {
  198. log.Debugf("states: %+v %+v", k, v)
  199. }
  200. log.WithFields(log.Fields{
  201. "state": state,
  202. "username": registeredStates[state].Username,
  203. }).Info("OAuth2 login successful")
  204. http.Redirect(w, r, "/", http.StatusFound)
  205. w.Write([]byte("OAuth2 login successful."))
  206. }
  207. type UserInfo struct {
  208. Username string
  209. Usergroup string
  210. }
  211. //gocyclo:ignore
  212. func getUserInfo(cfg *config.Config, client *http.Client, provider *config.OAuth2Provider) *UserInfo {
  213. ret := &UserInfo{}
  214. res, err := client.Get(provider.WhoamiUrl)
  215. if err != nil {
  216. log.Errorf("Failed to get user data: %v", err)
  217. return ret
  218. }
  219. if res.StatusCode != http.StatusOK {
  220. log.Errorf("Failed to get user data: %v", res.StatusCode)
  221. return ret
  222. }
  223. defer res.Body.Close()
  224. contents, err := io.ReadAll(res.Body)
  225. if err != nil {
  226. log.Errorf("Failed to read user data: %v", err)
  227. return ret
  228. }
  229. var userData map[string]any
  230. if cfg.InsecureAllowDumpOAuth2UserData {
  231. log.Debugf("OAuth2 User Data: %v+", string(contents))
  232. }
  233. err = json.Unmarshal([]byte(contents), &userData)
  234. if err != nil {
  235. log.Errorf("Failed to unmarshal user data: %v", err)
  236. return ret
  237. }
  238. ret.Username = getDataField(userData, provider.UsernameField)
  239. ret.Usergroup = getDataField(userData, provider.UserGroupField)
  240. return ret
  241. }
  242. func getDataField(data map[string]any, field string) string {
  243. if field == "" {
  244. return ""
  245. }
  246. val, ok := data[field]
  247. if !ok {
  248. log.Errorf("Failed to get field from user data: %v / %v", data, field)
  249. return ""
  250. }
  251. stringVal, ok := val.(string)
  252. if !ok {
  253. log.Errorf("Field %v is not a string: %v", field, val)
  254. return ""
  255. }
  256. return stringVal
  257. }
  258. func parseOAuth2Cookie(r *http.Request) (string, string, string) {
  259. cookie, err := r.Cookie("olivetin-sid-oauth")
  260. if err != nil {
  261. log.Warnf("Failed to read OAuth2 cookie: %v", err)
  262. return "", "", ""
  263. }
  264. if cookie.Value == "" {
  265. return "", "", ""
  266. }
  267. serverState, found := registeredStates[cookie.Value]
  268. if !found {
  269. log.WithFields(log.Fields{
  270. "sid": cookie.Value,
  271. "provider": "oauth2",
  272. }).Warnf("Stale session")
  273. return "", "", cookie.Value
  274. }
  275. log.Debugf("Found OAuth2 state: %+v", serverState)
  276. return serverState.Username, serverState.Usergroup, cookie.Value
  277. }