closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7308 Commits
2 Branches
178 MiB
Tree: 0a8e63c682
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0a8e63c682'
${ noResults }
gitea/routers/user/oauth.go

478 lines
16 KiB
Raw Normal View History

Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user
  6. 

  7. import (
  8. 	"encoding/base64"
  9. 	"fmt"
  10. 	"net/url"
  11. 	"strings"
  12. 

  13. 	"github.com/dgrijalva/jwt-go"
  14. 	"github.com/go-macaron/binding"
  15. 

  16. 	"code.gitea.io/gitea/models"
  17. 	"code.gitea.io/gitea/modules/auth"
  18. 	"code.gitea.io/gitea/modules/base"
  19. 	"code.gitea.io/gitea/modules/context"
  20. 	"code.gitea.io/gitea/modules/log"
  21. 	"code.gitea.io/gitea/modules/setting"
  22. 	"code.gitea.io/gitea/modules/util"
  23. )
  24. 

  25. const (
  26. 	tplGrantAccess base.TplName = "user/auth/grant"
  27. 	tplGrantError  base.TplName = "user/auth/grant_error"
  28. )
  29. 

  30. // TODO move error and responses to SDK or models

  31. 

  32. // AuthorizeErrorCode represents an error code specified in RFC 6749

  33. type AuthorizeErrorCode string
  34. 

  35. const (
  36. 	// ErrorCodeInvalidRequest represents the according error in RFC 6749

  37. 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"
  38. 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749

  39. 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"
  40. 	// ErrorCodeAccessDenied represents the according error in RFC 6749

  41. 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"
  42. 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749

  43. 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"
  44. 	// ErrorCodeInvalidScope represents the according error in RFC 6749

  45. 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"
  46. 	// ErrorCodeServerError represents the according error in RFC 6749

  47. 	ErrorCodeServerError AuthorizeErrorCode = "server_error"
  48. 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749

  49. 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"
  50. )
  51. 

  52. // AuthorizeError represents an error type specified in RFC 6749

  53. type AuthorizeError struct {
  54. 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`
  55. 	ErrorDescription string
  56. 	State            string
  57. }
  58. 

  59. // Error returns the error message

  60. func (err AuthorizeError) Error() string {
  61. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
  62. }
  63. 

  64. // AccessTokenErrorCode represents an error code specified in RFC 6749

  65. type AccessTokenErrorCode string
  66. 

  67. const (
  68. 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749

  69. 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"
  70. 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749

  71. 	AccessTokenErrorCodeInvalidClient = "invalid_client"
  72. 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749

  73. 	AccessTokenErrorCodeInvalidGrant = "invalid_grant"
  74. 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749

  75. 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"
  76. 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749

  77. 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"
  78. 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749

  79. 	AccessTokenErrorCodeInvalidScope = "invalid_scope"
  80. )
  81. 

  82. // AccessTokenError represents an error response specified in RFC 6749

  83. type AccessTokenError struct {
  84. 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`
  85. 	ErrorDescription string               `json:"error_description"`
  86. }
  87. 

  88. // Error returns the error message

  89. func (err AccessTokenError) Error() string {
  90. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
  91. }
  92. 

  93. // TokenType specifies the kind of token

  94. type TokenType string
  95. 

  96. const (
  97. 	// TokenTypeBearer represents a token type specified in RFC 6749

  98. 	TokenTypeBearer TokenType = "bearer"
  99. 	// TokenTypeMAC represents a token type specified in RFC 6749

  100. 	TokenTypeMAC = "mac"
  101. )
  102. 

  103. // AccessTokenResponse represents a successful access token response

  104. type AccessTokenResponse struct {
  105. 	AccessToken string    `json:"access_token"`
  106. 	TokenType   TokenType `json:"token_type"`
  107. 	ExpiresIn   int64     `json:"expires_in"`
  108. 	// TODO implement RefreshToken

  109. 	RefreshToken string `json:"refresh_token"`
  110. }
  111. 

  112. func newAccessTokenResponse(grant *models.OAuth2Grant) (*AccessTokenResponse, *AccessTokenError) {
  113. 	if err := grant.IncreaseCounter(); err != nil {
  114. 		return nil, &AccessTokenError{
  115. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
  116. 			ErrorDescription: "cannot increase the grant counter",
  117. 		}
  118. 	}
  119. 	// generate access token to access the API

  120. 	expirationDate := util.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)
  121. 	accessToken := &models.OAuth2Token{
  122. 		GrantID: grant.ID,
  123. 		Type:    models.TypeAccessToken,
  124. 		StandardClaims: jwt.StandardClaims{
  125. 			ExpiresAt: expirationDate.AsTime().Unix(),
  126. 		},
  127. 	}
  128. 	signedAccessToken, err := accessToken.SignToken()
  129. 	if err != nil {
  130. 		return nil, &AccessTokenError{
  131. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  132. 			ErrorDescription: "cannot sign token",
  133. 		}
  134. 	}
  135. 

  136. 	// generate refresh token to request an access token after it expired later

  137. 	refreshExpirationDate := util.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()
  138. 	refreshToken := &models.OAuth2Token{
  139. 		GrantID: grant.ID,
  140. 		Counter: grant.Counter,
  141. 		Type:    models.TypeRefreshToken,
  142. 		StandardClaims: jwt.StandardClaims{
  143. 			ExpiresAt: refreshExpirationDate,
  144. 		},
  145. 	}
  146. 	signedRefreshToken, err := refreshToken.SignToken()
  147. 	if err != nil {
  148. 		return nil, &AccessTokenError{
  149. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  150. 			ErrorDescription: "cannot sign token",
  151. 		}
  152. 	}
  153. 

  154. 	return &AccessTokenResponse{
  155. 		AccessToken:  signedAccessToken,
  156. 		TokenType:    TokenTypeBearer,
  157. 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,
  158. 		RefreshToken: signedRefreshToken,
  159. 	}, nil
  160. }
  161. 

  162. // AuthorizeOAuth manages authorize requests

  163. func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {
  164. 	errs := binding.Errors{}
  165. 	errs = form.Validate(ctx.Context, errs)
  166. 

  167. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
  168. 	if err != nil {
  169. 		if models.IsErrOauthClientIDInvalid(err) {
  170. 			handleAuthorizeError(ctx, AuthorizeError{
  171. 				ErrorCode:        ErrorCodeUnauthorizedClient,
  172. 				ErrorDescription: "Client ID not registered",
  173. 				State:            form.State,
  174. 			}, "")
  175. 			return
  176. 		}
  177. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)
  178. 		return
  179. 	}
  180. 	if err := app.LoadUser(); err != nil {
  181. 		ctx.ServerError("LoadUser", err)
  182. 		return
  183. 	}
  184. 

  185. 	if !app.ContainsRedirectURI(form.RedirectURI) {
  186. 		handleAuthorizeError(ctx, AuthorizeError{
  187. 			ErrorCode:        ErrorCodeInvalidRequest,
  188. 			ErrorDescription: "Unregistered Redirect URI",
  189. 			State:            form.State,
  190. 		}, "")
  191. 		return
  192. 	}
  193. 

  194. 	if form.ResponseType != "code" {
  195. 		handleAuthorizeError(ctx, AuthorizeError{
  196. 			ErrorCode:        ErrorCodeUnsupportedResponseType,
  197. 			ErrorDescription: "Only code response type is supported.",
  198. 			State:            form.State,
  199. 		}, form.RedirectURI)
  200. 		return
  201. 	}
  202. 

  203. 	// pkce support

  204. 	switch form.CodeChallengeMethod {
  205. 	case "S256":
  206. 	case "plain":
  207. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
  208. 			handleAuthorizeError(ctx, AuthorizeError{
  209. 				ErrorCode:        ErrorCodeServerError,
  210. 				ErrorDescription: "cannot set code challenge method",
  211. 				State:            form.State,
  212. 			}, form.RedirectURI)
  213. 			return
  214. 		}
  215. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {
  216. 			handleAuthorizeError(ctx, AuthorizeError{
  217. 				ErrorCode:        ErrorCodeServerError,
  218. 				ErrorDescription: "cannot set code challenge",
  219. 				State:            form.State,
  220. 			}, form.RedirectURI)
  221. 			return
  222. 		}
  223. 		break
  224. 	case "":
  225. 		break
  226. 	default:
  227. 		handleAuthorizeError(ctx, AuthorizeError{
  228. 			ErrorCode:        ErrorCodeInvalidRequest,
  229. 			ErrorDescription: "unsupported code challenge method",
  230. 			State:            form.State,
  231. 		}, form.RedirectURI)
  232. 		return
  233. 	}
  234. 

  235. 	grant, err := app.GetGrantByUserID(ctx.User.ID)
  236. 	if err != nil {
  237. 		handleServerError(ctx, form.State, form.RedirectURI)
  238. 		return
  239. 	}
  240. 

  241. 	// Redirect if user already granted access

  242. 	if grant != nil {
  243. 		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
  244. 		if err != nil {
  245. 			handleServerError(ctx, form.State, form.RedirectURI)
  246. 			return
  247. 		}
  248. 		redirect, err := code.GenerateRedirectURI(form.State)
  249. 		if err != nil {
  250. 			handleServerError(ctx, form.State, form.RedirectURI)
  251. 			return
  252. 		}
  253. 		ctx.Redirect(redirect.String(), 302)
  254. 		return
  255. 	}
  256. 

  257. 	// show authorize page to grant access

  258. 	ctx.Data["Application"] = app
  259. 	ctx.Data["RedirectURI"] = form.RedirectURI
  260. 	ctx.Data["State"] = form.State
  261. 	ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.LocalURL + app.User.LowerName + "\">@" + app.User.Name + "</a>"
  262. 	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>"
  263. 	// TODO document SESSION <=> FORM

  264. 	ctx.Session.Set("client_id", app.ClientID)
  265. 	ctx.Session.Set("redirect_uri", form.RedirectURI)
  266. 	ctx.Session.Set("state", form.State)
  267. 	ctx.HTML(200, tplGrantAccess)
  268. }
  269. 

  270. // GrantApplicationOAuth manages the post request submitted when a user grants access to an application

  271. func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm) {
  272. 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
  273. 		ctx.Session.Get("redirect_uri") != form.RedirectURI {
  274. 		ctx.Error(400)
  275. 		return
  276. 	}
  277. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
  278. 	if err != nil {
  279. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)
  280. 		return
  281. 	}
  282. 	grant, err := app.CreateGrant(ctx.User.ID)
  283. 	if err != nil {
  284. 		handleAuthorizeError(ctx, AuthorizeError{
  285. 			State:            form.State,
  286. 			ErrorDescription: "cannot create grant for user",
  287. 			ErrorCode:        ErrorCodeServerError,
  288. 		}, form.RedirectURI)
  289. 		return
  290. 	}
  291. 

  292. 	var codeChallenge, codeChallengeMethod string
  293. 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)
  294. 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)
  295. 

  296. 	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)
  297. 	if err != nil {
  298. 		handleServerError(ctx, form.State, form.RedirectURI)
  299. 		return
  300. 	}
  301. 	redirect, err := code.GenerateRedirectURI(form.State)
  302. 	if err != nil {
  303. 		handleServerError(ctx, form.State, form.RedirectURI)
  304. 	}
  305. 	ctx.Redirect(redirect.String(), 302)
  306. }
  307. 

  308. // AccessTokenOAuth manages all access token requests by the client

  309. func AccessTokenOAuth(ctx *context.Context, form auth.AccessTokenForm) {
  310. 	if form.ClientID == "" {
  311. 		authHeader := ctx.Req.Header.Get("Authorization")
  312. 		authContent := strings.SplitN(authHeader, " ", 2)
  313. 		if len(authContent) == 2 && authContent[0] == "Basic" {
  314. 			payload, err := base64.StdEncoding.DecodeString(authContent[1])
  315. 			if err != nil {
  316. 				handleAccessTokenError(ctx, AccessTokenError{
  317. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  318. 					ErrorDescription: "cannot parse basic auth header",
  319. 				})
  320. 				return
  321. 			}
  322. 			pair := strings.SplitN(string(payload), ":", 2)
  323. 			if len(pair) != 2 {
  324. 				handleAccessTokenError(ctx, AccessTokenError{
  325. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  326. 					ErrorDescription: "cannot parse basic auth header",
  327. 				})
  328. 				return
  329. 			}
  330. 			form.ClientID = pair[0]
  331. 			form.ClientSecret = pair[1]
  332. 		}
  333. 	}
  334. 	switch form.GrantType {
  335. 	case "refresh_token":
  336. 		handleRefreshToken(ctx, form)
  337. 		return
  338. 	case "authorization_code":
  339. 		handleAuthorizationCode(ctx, form)
  340. 		return
  341. 	default:
  342. 		handleAccessTokenError(ctx, AccessTokenError{
  343. 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,
  344. 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",
  345. 		})
  346. 	}
  347. }
  348. 

  349. func handleRefreshToken(ctx *context.Context, form auth.AccessTokenForm) {
  350. 	token, err := models.ParseOAuth2Token(form.RefreshToken)
  351. 	if err != nil {
  352. 		handleAccessTokenError(ctx, AccessTokenError{
  353. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  354. 			ErrorDescription: "client is not authorized",
  355. 		})
  356. 		return
  357. 	}
  358. 	// get grant before increasing counter

  359. 	grant, err := models.GetOAuth2GrantByID(token.GrantID)
  360. 	if err != nil || grant == nil {
  361. 		handleAccessTokenError(ctx, AccessTokenError{
  362. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
  363. 			ErrorDescription: "grant does not exist",
  364. 		})
  365. 		return
  366. 	}
  367. 

  368. 	// check if token got already used

  369. 	if grant.Counter != token.Counter || token.Counter == 0 {
  370. 		handleAccessTokenError(ctx, AccessTokenError{
  371. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  372. 			ErrorDescription: "token was already used",
  373. 		})
  374. 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
  375. 		return
  376. 	}
  377. 	accessToken, tokenErr := newAccessTokenResponse(grant)
  378. 	if tokenErr != nil {
  379. 		handleAccessTokenError(ctx, *tokenErr)
  380. 		return
  381. 	}
  382. 	ctx.JSON(200, accessToken)
  383. }
  384. 

  385. func handleAuthorizationCode(ctx *context.Context, form auth.AccessTokenForm) {
  386. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
  387. 	if err != nil {
  388. 		handleAccessTokenError(ctx, AccessTokenError{
  389. 			ErrorCode:        AccessTokenErrorCodeInvalidClient,
  390. 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),
  391. 		})
  392. 		return
  393. 	}
  394. 	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
  395. 		handleAccessTokenError(ctx, AccessTokenError{
  396. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  397. 			ErrorDescription: "client is not authorized",
  398. 		})
  399. 		return
  400. 	}
  401. 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {
  402. 		handleAccessTokenError(ctx, AccessTokenError{
  403. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  404. 			ErrorDescription: "client is not authorized",
  405. 		})
  406. 		return
  407. 	}
  408. 	authorizationCode, err := models.GetOAuth2AuthorizationByCode(form.Code)
  409. 	if err != nil || authorizationCode == nil {
  410. 		handleAccessTokenError(ctx, AccessTokenError{
  411. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  412. 			ErrorDescription: "client is not authorized",
  413. 		})
  414. 		return
  415. 	}
  416. 	// check if code verifier authorizes the client, PKCE support

  417. 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {
  418. 		handleAccessTokenError(ctx, AccessTokenError{
  419. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  420. 			ErrorDescription: "client is not authorized",
  421. 		})
  422. 		return
  423. 	}
  424. 	// check if granted for this application

  425. 	if authorizationCode.Grant.ApplicationID != app.ID {
  426. 		handleAccessTokenError(ctx, AccessTokenError{
  427. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
  428. 			ErrorDescription: "invalid grant",
  429. 		})
  430. 		return
  431. 	}
  432. 	// remove token from database to deny duplicate usage

  433. 	if err := authorizationCode.Invalidate(); err != nil {
  434. 		handleAccessTokenError(ctx, AccessTokenError{
  435. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  436. 			ErrorDescription: "cannot proceed your request",
  437. 		})
  438. 	}
  439. 	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant)
  440. 	if tokenErr != nil {
  441. 		handleAccessTokenError(ctx, *tokenErr)
  442. 		return
  443. 	}
  444. 	// send successful response

  445. 	ctx.JSON(200, resp)
  446. }
  447. 

  448. func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {
  449. 	ctx.JSON(400, acErr)
  450. }
  451. 

  452. func handleServerError(ctx *context.Context, state string, redirectURI string) {
  453. 	handleAuthorizeError(ctx, AuthorizeError{
  454. 		ErrorCode:        ErrorCodeServerError,
  455. 		ErrorDescription: "A server error occurred",
  456. 		State:            state,
  457. 	}, redirectURI)
  458. }
  459. 

  460. func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {
  461. 	if redirectURI == "" {
  462. 		log.Warn("Authorization failed: %v", authErr.ErrorDescription)
  463. 		ctx.Data["Error"] = authErr
  464. 		ctx.HTML(400, tplGrantError)
  465. 		return
  466. 	}
  467. 	redirect, err := url.Parse(redirectURI)
  468. 	if err != nil {
  469. 		ctx.ServerError("url.Parse", err)
  470. 		return
  471. 	}
  472. 	q := redirect.Query()
  473. 	q.Set("error", string(authErr.ErrorCode))
  474. 	q.Set("error_description", authErr.ErrorDescription)
  475. 	q.Set("state", authErr.State)
  476. 	redirect.RawQuery = q.Encode()
  477. 	ctx.Redirect(redirect.String(), 302)
  478. }