osbzr
/
com
项目红包剩余9514,下一贡献奖励5%,即 476个红包
Прати 15
Волим 7
Вики 捐赠
本站源代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Дрво: 4f0cac5ea6
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '4f0cac5ea6'
${ noResults }
com/routers/user/oauth.go

503 lines
16KB
Датотека Blame Историја 

  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"encoding/base64"

  9. 	"fmt"

  10. 	"net/url"

  11. 	"strings"

  12. 

  13. 	"code.gitea.io/gitea/models"

  14. 	"code.gitea.io/gitea/modules/auth"

  15. 	"code.gitea.io/gitea/modules/base"

  16. 	"code.gitea.io/gitea/modules/context"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	"code.gitea.io/gitea/modules/timeutil"

  20. 

  21. 	"gitea.com/macaron/binding"

  22. 	"github.com/dgrijalva/jwt-go"

  23. )

  24. 

  25. const (

  26. 	tplGrantAccess base.TplName = "user/auth/grant"

  27. 	tplGrantError  base.TplName = "user/auth/grant_error"

  28. )

  29. 

  30. // TODO move error and responses to SDK or models

  31. 

  32. // AuthorizeErrorCode represents an error code specified in RFC 6749

  33. type AuthorizeErrorCode string

  34. 

  35. const (

  36. 	// ErrorCodeInvalidRequest represents the according error in RFC 6749

  37. 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"

  38. 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749

  39. 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"

  40. 	// ErrorCodeAccessDenied represents the according error in RFC 6749

  41. 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"

  42. 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749

  43. 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"

  44. 	// ErrorCodeInvalidScope represents the according error in RFC 6749

  45. 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"

  46. 	// ErrorCodeServerError represents the according error in RFC 6749

  47. 	ErrorCodeServerError AuthorizeErrorCode = "server_error"

  48. 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749

  49. 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"

  50. )

  51. 

  52. // AuthorizeError represents an error type specified in RFC 6749

  53. type AuthorizeError struct {

  54. 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`

  55. 	ErrorDescription string

  56. 	State            string

  57. }

  58. 

  59. // Error returns the error message

  60. func (err AuthorizeError) Error() string {

  61. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  62. }

  63. 

  64. // AccessTokenErrorCode represents an error code specified in RFC 6749

  65. type AccessTokenErrorCode string

  66. 

  67. const (

  68. 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749

  69. 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"

  70. 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749

  71. 	AccessTokenErrorCodeInvalidClient = "invalid_client"

  72. 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749

  73. 	AccessTokenErrorCodeInvalidGrant = "invalid_grant"

  74. 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749

  75. 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"

  76. 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749

  77. 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"

  78. 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749

  79. 	AccessTokenErrorCodeInvalidScope = "invalid_scope"

  80. )

  81. 

  82. // AccessTokenError represents an error response specified in RFC 6749

  83. type AccessTokenError struct {

  84. 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`

  85. 	ErrorDescription string               `json:"error_description"`

  86. }

  87. 

  88. // Error returns the error message

  89. func (err AccessTokenError) Error() string {

  90. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  91. }

  92. 

  93. // TokenType specifies the kind of token

  94. type TokenType string

  95. 

  96. const (

  97. 	// TokenTypeBearer represents a token type specified in RFC 6749

  98. 	TokenTypeBearer TokenType = "bearer"

  99. 	// TokenTypeMAC represents a token type specified in RFC 6749

  100. 	TokenTypeMAC = "mac"

  101. )

  102. 

  103. // AccessTokenResponse represents a successful access token response

  104. type AccessTokenResponse struct {

  105. 	AccessToken  string    `json:"access_token"`

  106. 	TokenType    TokenType `json:"token_type"`

  107. 	ExpiresIn    int64     `json:"expires_in"`

  108. 	RefreshToken string    `json:"refresh_token"`

  109. }

  110. 

  111. func newAccessTokenResponse(grant *models.OAuth2Grant) (*AccessTokenResponse, *AccessTokenError) {

  112. 	if setting.OAuth2.InvalidateRefreshTokens {

  113. 		if err := grant.IncreaseCounter(); err != nil {

  114. 			return nil, &AccessTokenError{

  115. 				ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  116. 				ErrorDescription: "cannot increase the grant counter",

  117. 			}

  118. 		}

  119. 	}

  120. 	// generate access token to access the API

  121. 	expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)

  122. 	accessToken := &models.OAuth2Token{

  123. 		GrantID: grant.ID,

  124. 		Type:    models.TypeAccessToken,

  125. 		StandardClaims: jwt.StandardClaims{

  126. 			ExpiresAt: expirationDate.AsTime().Unix(),

  127. 		},

  128. 	}

  129. 	signedAccessToken, err := accessToken.SignToken()

  130. 	if err != nil {

  131. 		return nil, &AccessTokenError{

  132. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  133. 			ErrorDescription: "cannot sign token",

  134. 		}

  135. 	}

  136. 

  137. 	// generate refresh token to request an access token after it expired later

  138. 	refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()

  139. 	refreshToken := &models.OAuth2Token{

  140. 		GrantID: grant.ID,

  141. 		Counter: grant.Counter,

  142. 		Type:    models.TypeRefreshToken,

  143. 		StandardClaims: jwt.StandardClaims{

  144. 			ExpiresAt: refreshExpirationDate,

  145. 		},

  146. 	}

  147. 	signedRefreshToken, err := refreshToken.SignToken()

  148. 	if err != nil {

  149. 		return nil, &AccessTokenError{

  150. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  151. 			ErrorDescription: "cannot sign token",

  152. 		}

  153. 	}

  154. 

  155. 	return &AccessTokenResponse{

  156. 		AccessToken:  signedAccessToken,

  157. 		TokenType:    TokenTypeBearer,

  158. 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,

  159. 		RefreshToken: signedRefreshToken,

  160. 	}, nil

  161. }

  162. 

  163. // AuthorizeOAuth manages authorize requests

  164. func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {

  165. 	errs := binding.Errors{}

  166. 	errs = form.Validate(ctx.Context, errs)

  167. 	if len(errs) > 0 {

  168. 		errstring := ""

  169. 		for _, e := range errs {

  170. 			errstring += e.Error() + "\n"

  171. 		}

  172. 		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring))

  173. 		return

  174. 	}

  175. 

  176. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  177. 	if err != nil {

  178. 		if models.IsErrOauthClientIDInvalid(err) {

  179. 			handleAuthorizeError(ctx, AuthorizeError{

  180. 				ErrorCode:        ErrorCodeUnauthorizedClient,

  181. 				ErrorDescription: "Client ID not registered",

  182. 				State:            form.State,

  183. 			}, "")

  184. 			return

  185. 		}

  186. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  187. 		return

  188. 	}

  189. 	if err := app.LoadUser(); err != nil {

  190. 		ctx.ServerError("LoadUser", err)

  191. 		return

  192. 	}

  193. 

  194. 	if !app.ContainsRedirectURI(form.RedirectURI) {

  195. 		handleAuthorizeError(ctx, AuthorizeError{

  196. 			ErrorCode:        ErrorCodeInvalidRequest,

  197. 			ErrorDescription: "Unregistered Redirect URI",

  198. 			State:            form.State,

  199. 		}, "")

  200. 		return

  201. 	}

  202. 

  203. 	if form.ResponseType != "code" {

  204. 		handleAuthorizeError(ctx, AuthorizeError{

  205. 			ErrorCode:        ErrorCodeUnsupportedResponseType,

  206. 			ErrorDescription: "Only code response type is supported.",

  207. 			State:            form.State,

  208. 		}, form.RedirectURI)

  209. 		return

  210. 	}

  211. 

  212. 	// pkce support

  213. 	switch form.CodeChallengeMethod {

  214. 	case "S256":

  215. 	case "plain":

  216. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {

  217. 			handleAuthorizeError(ctx, AuthorizeError{

  218. 				ErrorCode:        ErrorCodeServerError,

  219. 				ErrorDescription: "cannot set code challenge method",

  220. 				State:            form.State,

  221. 			}, form.RedirectURI)

  222. 			return

  223. 		}

  224. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {

  225. 			handleAuthorizeError(ctx, AuthorizeError{

  226. 				ErrorCode:        ErrorCodeServerError,

  227. 				ErrorDescription: "cannot set code challenge",

  228. 				State:            form.State,

  229. 			}, form.RedirectURI)

  230. 			return

  231. 		}

  232. 	case "":

  233. 		break

  234. 	default:

  235. 		handleAuthorizeError(ctx, AuthorizeError{

  236. 			ErrorCode:        ErrorCodeInvalidRequest,

  237. 			ErrorDescription: "unsupported code challenge method",

  238. 			State:            form.State,

  239. 		}, form.RedirectURI)

  240. 		return

  241. 	}

  242. 

  243. 	grant, err := app.GetGrantByUserID(ctx.User.ID)

  244. 	if err != nil {

  245. 		handleServerError(ctx, form.State, form.RedirectURI)

  246. 		return

  247. 	}

  248. 

  249. 	// Redirect if user already granted access

  250. 	if grant != nil {

  251. 		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)

  252. 		if err != nil {

  253. 			handleServerError(ctx, form.State, form.RedirectURI)

  254. 			return

  255. 		}

  256. 		redirect, err := code.GenerateRedirectURI(form.State)

  257. 		if err != nil {

  258. 			handleServerError(ctx, form.State, form.RedirectURI)

  259. 			return

  260. 		}

  261. 		ctx.Redirect(redirect.String(), 302)

  262. 		return

  263. 	}

  264. 

  265. 	// show authorize page to grant access

  266. 	ctx.Data["Application"] = app

  267. 	ctx.Data["RedirectURI"] = form.RedirectURI

  268. 	ctx.Data["State"] = form.State

  269. 	ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.AppURL + app.User.LowerName + "\">@" + app.User.Name + "</a>"

  270. 	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>"

  271. 	// TODO document SESSION <=> FORM

  272. 	err = ctx.Session.Set("client_id", app.ClientID)

  273. 	if err != nil {

  274. 		handleServerError(ctx, form.State, form.RedirectURI)

  275. 		log.Error(err.Error())

  276. 		return

  277. 	}

  278. 	err = ctx.Session.Set("redirect_uri", form.RedirectURI)

  279. 	if err != nil {

  280. 		handleServerError(ctx, form.State, form.RedirectURI)

  281. 		log.Error(err.Error())

  282. 		return

  283. 	}

  284. 	err = ctx.Session.Set("state", form.State)

  285. 	if err != nil {

  286. 		handleServerError(ctx, form.State, form.RedirectURI)

  287. 		log.Error(err.Error())

  288. 		return

  289. 	}

  290. 	ctx.HTML(200, tplGrantAccess)

  291. }

  292. 

  293. // GrantApplicationOAuth manages the post request submitted when a user grants access to an application

  294. func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm) {

  295. 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||

  296. 		ctx.Session.Get("redirect_uri") != form.RedirectURI {

  297. 		ctx.Error(400)

  298. 		return

  299. 	}

  300. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  301. 	if err != nil {

  302. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  303. 		return

  304. 	}

  305. 	grant, err := app.CreateGrant(ctx.User.ID)

  306. 	if err != nil {

  307. 		handleAuthorizeError(ctx, AuthorizeError{

  308. 			State:            form.State,

  309. 			ErrorDescription: "cannot create grant for user",

  310. 			ErrorCode:        ErrorCodeServerError,

  311. 		}, form.RedirectURI)

  312. 		return

  313. 	}

  314. 

  315. 	var codeChallenge, codeChallengeMethod string

  316. 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)

  317. 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)

  318. 

  319. 	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)

  320. 	if err != nil {

  321. 		handleServerError(ctx, form.State, form.RedirectURI)

  322. 		return

  323. 	}

  324. 	redirect, err := code.GenerateRedirectURI(form.State)

  325. 	if err != nil {

  326. 		handleServerError(ctx, form.State, form.RedirectURI)

  327. 		return

  328. 	}

  329. 	ctx.Redirect(redirect.String(), 302)

  330. }

  331. 

  332. // AccessTokenOAuth manages all access token requests by the client

  333. func AccessTokenOAuth(ctx *context.Context, form auth.AccessTokenForm) {

  334. 	if form.ClientID == "" {

  335. 		authHeader := ctx.Req.Header.Get("Authorization")

  336. 		authContent := strings.SplitN(authHeader, " ", 2)

  337. 		if len(authContent) == 2 && authContent[0] == "Basic" {

  338. 			payload, err := base64.StdEncoding.DecodeString(authContent[1])

  339. 			if err != nil {

  340. 				handleAccessTokenError(ctx, AccessTokenError{

  341. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  342. 					ErrorDescription: "cannot parse basic auth header",

  343. 				})

  344. 				return

  345. 			}

  346. 			pair := strings.SplitN(string(payload), ":", 2)

  347. 			if len(pair) != 2 {

  348. 				handleAccessTokenError(ctx, AccessTokenError{

  349. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  350. 					ErrorDescription: "cannot parse basic auth header",

  351. 				})

  352. 				return

  353. 			}

  354. 			form.ClientID = pair[0]

  355. 			form.ClientSecret = pair[1]

  356. 		}

  357. 	}

  358. 	switch form.GrantType {

  359. 	case "refresh_token":

  360. 		handleRefreshToken(ctx, form)

  361. 		return

  362. 	case "authorization_code":

  363. 		handleAuthorizationCode(ctx, form)

  364. 		return

  365. 	default:

  366. 		handleAccessTokenError(ctx, AccessTokenError{

  367. 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,

  368. 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",

  369. 		})

  370. 	}

  371. }

  372. 

  373. func handleRefreshToken(ctx *context.Context, form auth.AccessTokenForm) {

  374. 	token, err := models.ParseOAuth2Token(form.RefreshToken)

  375. 	if err != nil {

  376. 		handleAccessTokenError(ctx, AccessTokenError{

  377. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  378. 			ErrorDescription: "client is not authorized",

  379. 		})

  380. 		return

  381. 	}

  382. 	// get grant before increasing counter

  383. 	grant, err := models.GetOAuth2GrantByID(token.GrantID)

  384. 	if err != nil || grant == nil {

  385. 		handleAccessTokenError(ctx, AccessTokenError{

  386. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  387. 			ErrorDescription: "grant does not exist",

  388. 		})

  389. 		return

  390. 	}

  391. 

  392. 	// check if token got already used

  393. 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {

  394. 		handleAccessTokenError(ctx, AccessTokenError{

  395. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  396. 			ErrorDescription: "token was already used",

  397. 		})

  398. 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)

  399. 		return

  400. 	}

  401. 	accessToken, tokenErr := newAccessTokenResponse(grant)

  402. 	if tokenErr != nil {

  403. 		handleAccessTokenError(ctx, *tokenErr)

  404. 		return

  405. 	}

  406. 	ctx.JSON(200, accessToken)

  407. }

  408. 

  409. func handleAuthorizationCode(ctx *context.Context, form auth.AccessTokenForm) {

  410. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  411. 	if err != nil {

  412. 		handleAccessTokenError(ctx, AccessTokenError{

  413. 			ErrorCode:        AccessTokenErrorCodeInvalidClient,

  414. 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),

  415. 		})

  416. 		return

  417. 	}

  418. 	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

  419. 		handleAccessTokenError(ctx, AccessTokenError{

  420. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  421. 			ErrorDescription: "client is not authorized",

  422. 		})

  423. 		return

  424. 	}

  425. 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {

  426. 		handleAccessTokenError(ctx, AccessTokenError{

  427. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  428. 			ErrorDescription: "client is not authorized",

  429. 		})

  430. 		return

  431. 	}

  432. 	authorizationCode, err := models.GetOAuth2AuthorizationByCode(form.Code)

  433. 	if err != nil || authorizationCode == nil {

  434. 		handleAccessTokenError(ctx, AccessTokenError{

  435. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  436. 			ErrorDescription: "client is not authorized",

  437. 		})

  438. 		return

  439. 	}

  440. 	// check if code verifier authorizes the client, PKCE support

  441. 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {

  442. 		handleAccessTokenError(ctx, AccessTokenError{

  443. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  444. 			ErrorDescription: "client is not authorized",

  445. 		})

  446. 		return

  447. 	}

  448. 	// check if granted for this application

  449. 	if authorizationCode.Grant.ApplicationID != app.ID {

  450. 		handleAccessTokenError(ctx, AccessTokenError{

  451. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  452. 			ErrorDescription: "invalid grant",

  453. 		})

  454. 		return

  455. 	}

  456. 	// remove token from database to deny duplicate usage

  457. 	if err := authorizationCode.Invalidate(); err != nil {

  458. 		handleAccessTokenError(ctx, AccessTokenError{

  459. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  460. 			ErrorDescription: "cannot proceed your request",

  461. 		})

  462. 	}

  463. 	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant)

  464. 	if tokenErr != nil {

  465. 		handleAccessTokenError(ctx, *tokenErr)

  466. 		return

  467. 	}

  468. 	// send successful response

  469. 	ctx.JSON(200, resp)

  470. }

  471. 

  472. func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {

  473. 	ctx.JSON(400, acErr)

  474. }

  475. 

  476. func handleServerError(ctx *context.Context, state string, redirectURI string) {

  477. 	handleAuthorizeError(ctx, AuthorizeError{

  478. 		ErrorCode:        ErrorCodeServerError,

  479. 		ErrorDescription: "A server error occurred",

  480. 		State:            state,

  481. 	}, redirectURI)

  482. }

  483. 

  484. func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {

  485. 	if redirectURI == "" {

  486. 		log.Warn("Authorization failed: %v", authErr.ErrorDescription)

  487. 		ctx.Data["Error"] = authErr

  488. 		ctx.HTML(400, tplGrantError)

  489. 		return

  490. 	}

  491. 	redirect, err := url.Parse(redirectURI)

  492. 	if err != nil {

  493. 		ctx.ServerError("url.Parse", err)

  494. 		return

  495. 	}

  496. 	q := redirect.Query()

  497. 	q.Set("error", string(authErr.ErrorCode))

  498. 	q.Set("error_description", authErr.ErrorDescription)

  499. 	q.Set("state", authErr.State)

  500. 	redirect.RawQuery = q.Encode()

  501. 	ctx.Redirect(redirect.String(), 302)

  502. }
上海开阖软件有限公司 沪ICP备12045867号-1