oauth2_proxy/providers/provider_default.go

package providers

import (
	"bytes"
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"time"

	"github.com/pusher/oauth2_proxy/cookie"
	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
)

// Redeem provides a default implementation of the OAuth2 token redemption process
func (p *ProviderData) Redeem(redirectURL, code string) (s *sessions.SessionState, err error) {
	if code == "" {
		err = errors.New("missing code")
		return
	}

	params := url.Values{}
	params.Add("redirect_uri", redirectURL)
	params.Add("client_id", p.ClientID)
	params.Add("client_secret", p.ClientSecret)
	params.Add("code", code)
	params.Add("grant_type", "authorization_code")
	if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
		params.Add("resource", p.ProtectedResource.String())
	}

	var req *http.Request
	req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))
	if err != nil {
		return
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	var resp *http.Response
	resp, err = http.DefaultClient.Do(req)
	if err != nil {
		return nil, err
	}
	var body []byte
	body, err = ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return
	}

	if resp.StatusCode != 200 {
		err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)
		return
	}

	// blindly try json and x-www-form-urlencoded
	var jsonResponse struct {
		AccessToken string `json:"access_token"`
	}
	err = json.Unmarshal(body, &jsonResponse)
	if err == nil {
		s = &sessions.SessionState{
			AccessToken: jsonResponse.AccessToken,
		}
		return
	}

	var v url.Values
	v, err = url.ParseQuery(string(body))
	if err != nil {
		return
	}
	if a := v.Get("access_token"); a != "" {
		s = &sessions.SessionState{AccessToken: a, CreatedAt: time.Now()}
	} else {
		err = fmt.Errorf("no access token found %s", body)
	}
	return
}

// GetLoginURL with typical oauth parameters
func (p *ProviderData) GetLoginURL(redirectURI, state string) string {
	var a url.URL
	a = *p.LoginURL
	params, _ := url.ParseQuery(a.RawQuery)
	params.Set("redirect_uri", redirectURI)
	params.Set("approval_prompt", p.ApprovalPrompt)
	params.Add("scope", p.Scope)
	params.Set("client_id", p.ClientID)
	params.Set("response_type", "code")
	params.Add("state", state)
	a.RawQuery = params.Encode()
	return a.String()
}

// CookieForSession serializes a session state for storage in a cookie
func (p *ProviderData) CookieForSession(s *sessions.SessionState, c *cookie.Cipher) (string, error) {
	return s.EncodeSessionState(c)
}

// SessionFromCookie deserializes a session from a cookie value
func (p *ProviderData) SessionFromCookie(v string, c *cookie.Cipher) (s *sessions.SessionState, err error) {
	return sessions.DecodeSessionState(v, c)
}

// GetEmailAddress returns the Account email address
func (p *ProviderData) GetEmailAddress(s *sessions.SessionState) (string, error) {
	return "", errors.New("not implemented")
}

// GetUserName returns the Account username
func (p *ProviderData) GetUserName(s *sessions.SessionState) (string, error) {
	return "", errors.New("not implemented")
}

// ValidateGroup validates that the provided email exists in the configured provider
// email group(s).
func (p *ProviderData) ValidateGroup(email string) bool {
	return true
}

// ValidateSessionState validates the AccessToken
func (p *ProviderData) ValidateSessionState(s *sessions.SessionState) bool {
	return validateToken(p, s.AccessToken, nil)
}

// RefreshSessionIfNeeded should refresh the user's session if required and
// do nothing if a refresh is not required
func (p *ProviderData) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
	return false, nil
}
Github provider 2015-05-21 03:23:48 +00:00			`package providers`

			`import (`
			`"bytes"`
			`"encoding/json"`
			`"errors"`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`"fmt"`
Github provider 2015-05-21 03:23:48 +00:00			`"io/ioutil"`
			`"net/http"`
			`"net/url"`
Add CreatedAt to SessionState 2019-05-07 14:32:46 +00:00			`"time"`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00			`"github.com/pusher/oauth2_proxy/cookie"`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`"github.com/pusher/oauth2_proxy/pkg/apis/sessions"`
Github provider 2015-05-21 03:23:48 +00:00			`)`

Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// Redeem provides a default implementation of the OAuth2 token redemption process`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`func (p ProviderData) Redeem(redirectURL, code string) (s sessions.SessionState, err error) {`
Github provider 2015-05-21 03:23:48 +00:00			`if code == "" {`
			`err = errors.New("missing code")`
			`return`
			`}`

			`params := url.Values{}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`params.Add("redirect_uri", redirectURL)`
Github provider 2015-05-21 03:23:48 +00:00			`params.Add("client_id", p.ClientID)`
			`params.Add("client_secret", p.ClientSecret)`
			`params.Add("code", code)`
			`params.Add("grant_type", "authorization_code")`
Add Azure Provider 2015-11-09 08:28:34 +00:00			`if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {`
			`params.Add("resource", p.ProtectedResource.String())`
			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`var req *http.Request`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))`
Github provider 2015-05-21 03:23:48 +00:00			`if err != nil {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return`
Github provider 2015-05-21 03:23:48 +00:00			`}`
			`req.Header.Set("Content-Type", "application/x-www-form-urlencoded")`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`var resp *http.Response`
			`resp, err = http.DefaultClient.Do(req)`
Github provider 2015-05-21 03:23:48 +00:00			`if err != nil {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return nil, err`
Github provider 2015-05-21 03:23:48 +00:00			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`var body []byte`
Github provider 2015-05-21 03:23:48 +00:00			`body, err = ioutil.ReadAll(resp.Body)`
			`resp.Body.Close()`
			`if err != nil {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return`
Github provider 2015-05-21 03:23:48 +00:00			`}`

More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`if resp.StatusCode != 200 {`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`}`

Github provider 2015-05-21 03:23:48 +00:00			`// blindly try json and x-www-form-urlencoded`
			`var jsonResponse struct {`
			AccessToken string `json:"access_token"`
			`}`
			`err = json.Unmarshal(body, &jsonResponse)`
			`if err == nil {`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`s = &sessions.SessionState{`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`AccessToken: jsonResponse.AccessToken,`
			`}`
			`return`
Github provider 2015-05-21 03:23:48 +00:00			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`var v url.Values`
			`v, err = url.ParseQuery(string(body))`
			`if err != nil {`
			`return`
			`}`
			`if a := v.Get("access_token"); a != "" {`
Add CreatedAt to SessionState 2019-05-07 14:32:46 +00:00			`s = &sessions.SessionState{AccessToken: a, CreatedAt: time.Now()}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`} else {`
			`err = fmt.Errorf("no access token found %s", body)`
			`}`
			`return`
Github provider 2015-05-21 03:23:48 +00:00			`}`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00
immediately redeem refresh token for provider==Google 2015-06-23 17:23:47 +00:00			`// GetLoginURL with typical oauth parameters`
csrf protection; always set state 2017-03-28 01:14:38 +00:00			`func (p *ProviderData) GetLoginURL(redirectURI, state string) string {`
immediately redeem refresh token for provider==Google 2015-06-23 17:23:47 +00:00			`var a url.URL`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`a = *p.LoginURL`
immediately redeem refresh token for provider==Google 2015-06-23 17:23:47 +00:00			`params, _ := url.ParseQuery(a.RawQuery)`
			`params.Set("redirect_uri", redirectURI)`
Add a flag to set the value of "approval_prompt". By setting this to "force", certain providers, like Google, will interject an additional prompt on every new session. With other values, like "auto", this prompt is not forced upon the user. 2015-07-25 23:27:49 +00:00			`params.Set("approval_prompt", p.ApprovalPrompt)`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`params.Add("scope", p.Scope)`
immediately redeem refresh token for provider==Google 2015-06-23 17:23:47 +00:00			`params.Set("client_id", p.ClientID)`
			`params.Set("response_type", "code")`
csrf protection; always set state 2017-03-28 01:14:38 +00:00			`params.Add("state", state)`
immediately redeem refresh token for provider==Google 2015-06-23 17:23:47 +00:00			`a.RawQuery = params.Encode()`
			`return a.String()`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00
			`// CookieForSession serializes a session state for storage in a cookie`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`func (p ProviderData) CookieForSession(s sessions.SessionState, c *cookie.Cipher) (string, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return s.EncodeSessionState(c)`
			`}`

			`// SessionFromCookie deserializes a session from a cookie value`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`func (p ProviderData) SessionFromCookie(v string, c cookie.Cipher) (s *sessions.SessionState, err error) {`
			`return sessions.DecodeSessionState(v, c)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`}`

Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// GetEmailAddress returns the Account email address`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`func (p ProviderData) GetEmailAddress(s sessions.SessionState) (string, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return "", errors.New("not implemented")`
			`}`

Github provider: use login as user - Save both user and email in session state: Encoding/decoding methods save both email and user field in session state, for use cases when User is not derived from email's local-parth, like for GitHub provider. For retrocompatibility, if no user is obtained by the provider, (e.g. User is an empty string) the encoding/decoding methods fall back to the previous behavior and use the email's local-part Updated also related tests and added two more tests to show behavior when session contains a non-empty user value. - Added first basic GitHub provider tests - Added GetUserName method to Provider interface The new GetUserName method is intended to return the User value when this is not the email's local-part. Added also the default implementation to provider_default.go - Added call to GetUserName in redeemCode the new GetUserName method is used in redeemCode to get SessionState User value. For backward compatibility, if GetUserName error is "not implemented", the error is ignored. - Added GetUserName method and tests to github provider. 2017-09-26 21:31:27 +00:00			`// GetUserName returns the Account username`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`func (p ProviderData) GetUserName(s sessions.SessionState) (string, error) {`
Github provider: use login as user - Save both user and email in session state: Encoding/decoding methods save both email and user field in session state, for use cases when User is not derived from email's local-parth, like for GitHub provider. For retrocompatibility, if no user is obtained by the provider, (e.g. User is an empty string) the encoding/decoding methods fall back to the previous behavior and use the email's local-part Updated also related tests and added two more tests to show behavior when session contains a non-empty user value. - Added first basic GitHub provider tests - Added GetUserName method to Provider interface The new GetUserName method is intended to return the User value when this is not the email's local-part. Added also the default implementation to provider_default.go - Added call to GetUserName in redeemCode the new GetUserName method is used in redeemCode to get SessionState User value. For backward compatibility, if GetUserName error is "not implemented", the error is ignored. - Added GetUserName method and tests to github provider. 2017-09-26 21:31:27 +00:00			`return "", errors.New("not implemented")`
			`}`

google: Support restricting access to a specific group(s) 2015-08-20 10:07:02 +00:00			`// ValidateGroup validates that the provided email exists in the configured provider`
			`// email group(s).`
			`func (p *ProviderData) ValidateGroup(email string) bool {`
			`return true`
			`}`

Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// ValidateSessionState validates the AccessToken`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`func (p ProviderData) ValidateSessionState(s sessions.SessionState) bool {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return validateToken(p, s.AccessToken, nil)`
			`}`

Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00			`// RefreshSessionIfNeeded should refresh the user's session if required and`
			`// do nothing if a refresh is not required`
Move SessionState to its own package 2019-05-05 12:33:13 +00:00			`func (p ProviderData) RefreshSessionIfNeeded(s sessions.SessionState) (bool, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`return false, nil`
			`}`