oauth2_proxy/providers/github.go

package providers

import (
	"encoding/json"
	"fmt"
	"strings"
	"io/ioutil"
	"log"
	"net/http"
	"net/url"
)

type GitHubProvider struct {
	*ProviderData
	Org  string
	Team string
}

func NewGitHubProvider(p *ProviderData) *GitHubProvider {
	p.ProviderName = "GitHub"
	if p.LoginURL == nil || p.LoginURL.String() == "" {
		p.LoginURL = &url.URL{
			Scheme: "https",
			Host:   "github.com",
			Path:   "/login/oauth/authorize",
		}
	}
	if p.RedeemURL == nil || p.RedeemURL.String() == "" {
		p.RedeemURL = &url.URL{
			Scheme: "https",
			Host:   "github.com",
			Path:   "/login/oauth/access_token",
		}
	}
	if p.ValidateURL == nil || p.ValidateURL.String() == "" {
		p.ValidateURL = &url.URL{
			Scheme: "https",
			Host:   "api.github.com",
			Path:   "/user/emails",
		}
	}
	if p.Scope == "" {
		p.Scope = "user:email"
	}
	return &GitHubProvider{ProviderData: p}
}
func (p *GitHubProvider) SetOrgTeam(org, team string) {
	p.Org = org
	p.Team = team
	if org != "" || team != "" {
		p.Scope += " read:org"
	}
}

func (p *GitHubProvider) hasOrg(accessToken string) (bool, error) {
	// https://developer.github.com/v3/orgs/#list-your-organizations

	var orgs []struct {
		Login string `json:"login"`
	}

	params := url.Values{
		"access_token": {accessToken},
		"limit":        {"100"},
	}

	endpoint := p.ValidateURL.Scheme + "://"  + p.ValidateURL.Host + "/user/orgs?" + params.Encode()
	req, _ := http.NewRequest("GET", endpoint, nil)
	req.Header.Set("Accept", "application/vnd.github.v3+json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		return false, err
	}

	body, err := ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return false, err
	}
	if resp.StatusCode != 200 {
		return false, fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)
	}

	if err := json.Unmarshal(body, &orgs); err != nil {
		return false, err
	}

	var presentOrgs []string
	for _, org := range orgs {
		if p.Org == org.Login {
			log.Printf("Found Github Organization: %q", org.Login)
			return true, nil
		}
		presentOrgs = append(presentOrgs, org.Login)
	}

	log.Printf("Missing Organization:%q in %v", p.Org, presentOrgs)
	return false, nil
}

func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {
	// https://developer.github.com/v3/orgs/teams/#list-user-teams

	var teams []struct {
		Name string `json:"name"`
		Slug string `json:"slug"`
		Org  struct {
			Login string `json:"login"`
		} `json:"organization"`
	}

	params := url.Values{
		"access_token": {accessToken},
		"limit":        {"100"},
	}

	endpoint := p.ValidateURL.Scheme + "://" + p.ValidateURL.Host + "/user/teams?" + params.Encode()
	req, _ := http.NewRequest("GET", endpoint, nil)
	req.Header.Set("Accept", "application/vnd.github.v3+json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		return false, err
	}

	body, err := ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return false, err
	}
	if resp.StatusCode != 200 {
		return false, fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)
	}

	if err := json.Unmarshal(body, &teams); err != nil {
		return false, fmt.Errorf("%s unmarshaling %s", err, body)
	}

	var hasOrg bool
	presentOrgs := make(map[string]bool)
	var presentTeams []string
	for _, team := range teams {
		presentOrgs[team.Org.Login] = true
		if p.Org == team.Org.Login {
			hasOrg = true
			ts := strings.Split(p.Team, ",")
			for _, t := range ts {
				if t == team.Slug {
					log.Printf("Found Github Organization:%q Team:%q (Name:%q)", team.Org.Login, team.Slug, team.Name)
					return true, nil
				}
			}
			presentTeams = append(presentTeams, team.Slug)
		}
	}
	if hasOrg {
		log.Printf("Missing Team:%q from Org:%q in teams: %v", p.Team, p.Org, presentTeams)
	} else {
		var allOrgs []string
		for org, _ := range presentOrgs {
			allOrgs = append(allOrgs, org)
		}
		log.Printf("Missing Organization:%q in %#v", p.Org, allOrgs)
	}
	return false, nil
}

func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) {

	var emails []struct {
		Email   string `json:"email"`
		Primary bool   `json:"primary"`
	}

	// if we require an Org or Team, check that first
	if p.Org != "" {
		if p.Team != "" {
			if ok, err := p.hasOrgAndTeam(s.AccessToken); err != nil || !ok {
				return "", err
			}
		} else {
			if ok, err := p.hasOrg(s.AccessToken); err != nil || !ok {
				return "", err
			}
		}
	}

	params := url.Values{
		"access_token": {s.AccessToken},
	}
	endpoint := p.ValidateURL.Scheme + "://" + p.ValidateURL.Host + p.ValidateURL.Path + "?" + params.Encode()
	resp, err := http.DefaultClient.Get(endpoint)
	if err != nil {
		return "", err
	}
	body, err := ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return "", err
	}

	if resp.StatusCode != 200 {
		return "", fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)
	} else {
		log.Printf("got %d from %q %s", resp.StatusCode, endpoint, body)
	}

	if err := json.Unmarshal(body, &emails); err != nil {
		return "", fmt.Errorf("%s unmarshaling %s", err, body)
	}

	for _, email := range emails {
		if email.Primary {
			return email.Email, nil
		}
	}

	return "", nil
}
Github provider 2015-05-21 03:23:48 +00:00			`package providers`

			`import (`
			`"encoding/json"`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`"fmt"`
github provider: allow multiple teams 2016-02-17 10:21:27 +00:00			`"strings"`
Github provider 2015-05-21 03:23:48 +00:00			`"io/ioutil"`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`"log"`
Github provider 2015-05-21 03:23:48 +00:00			`"net/http"`
			`"net/url"`
			`)`

			`type GitHubProvider struct {`
			`*ProviderData`
			`Org string`
			`Team string`
			`}`

			`func NewGitHubProvider(p ProviderData) GitHubProvider {`
			`p.ProviderName = "GitHub"`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`if p.LoginURL == nil \|\| p.LoginURL.String() == "" {`
			`p.LoginURL = &url.URL{`
Github provider 2015-05-21 03:23:48 +00:00			`Scheme: "https",`
			`Host: "github.com",`
			`Path: "/login/oauth/authorize",`
			`}`
			`}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`if p.RedeemURL == nil \|\| p.RedeemURL.String() == "" {`
			`p.RedeemURL = &url.URL{`
Github provider 2015-05-21 03:23:48 +00:00			`Scheme: "https",`
			`Host: "github.com",`
			`Path: "/login/oauth/access_token",`
			`}`
			`}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`if p.ValidateURL == nil \|\| p.ValidateURL.String() == "" {`
			`p.ValidateURL = &url.URL{`
Github provider 2015-05-21 03:23:48 +00:00			`Scheme: "https",`
			`Host: "api.github.com",`
			`Path: "/user/emails",`
			`}`
			`}`
			`if p.Scope == "" {`
			`p.Scope = "user:email"`
			`}`
			`return &GitHubProvider{ProviderData: p}`
			`}`
			`func (p *GitHubProvider) SetOrgTeam(org, team string) {`
			`p.Org = org`
			`p.Team = team`
			`if org != "" \|\| team != "" {`
			`p.Scope += " read:org"`
			`}`
			`}`

github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`func (p *GitHubProvider) hasOrg(accessToken string) (bool, error) {`
			`// https://developer.github.com/v3/orgs/#list-your-organizations`

			`var orgs []struct {`
			Login string `json:"login"`
			`}`

			`params := url.Values{`
			`"access_token": {accessToken},`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`"limit": {"100"},`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`}`

adding enterprise github provider print the error stack trace point to my fork in oauthproxy.go addint pointers to ruta-goomba fork in mulitple files change api endpoint replace hard-coded github api endpoint with variables resetting fall through github urls to point to github.com fix malformed url changes to enable use with enterprise github 2016-01-18 17:33:25 +00:00			`endpoint := p.ValidateURL.Scheme + "://" + p.ValidateURL.Host + "/user/orgs?" + params.Encode()`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`req, _ := http.NewRequest("GET", endpoint, nil)`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`req.Header.Set("Accept", "application/vnd.github.v3+json")`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`resp, err := http.DefaultClient.Do(req)`
			`if err != nil {`
			`return false, err`
			`}`

			`body, err := ioutil.ReadAll(resp.Body)`
			`resp.Body.Close()`
			`if err != nil {`
			`return false, err`
			`}`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`if resp.StatusCode != 200 {`
			`return false, fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)`
			`}`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00
			`if err := json.Unmarshal(body, &orgs); err != nil {`
			`return false, err`
			`}`

github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`var presentOrgs []string`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`for _, org := range orgs {`
			`if p.Org == org.Login {`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`log.Printf("Found Github Organization: %q", org.Login)`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`return true, nil`
			`}`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`presentOrgs = append(presentOrgs, org.Login)`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`}`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00
			`log.Printf("Missing Organization:%q in %v", p.Org, presentOrgs)`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`return false, nil`
			`}`

Github provider 2015-05-21 03:23:48 +00:00			`func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`// https://developer.github.com/v3/orgs/teams/#list-user-teams`
Github provider 2015-05-21 03:23:48 +00:00
			`var teams []struct {`
			Name string `json:"name"`
			Slug string `json:"slug"`
			`Org struct {`
			Login string `json:"login"`
			} `json:"organization"`
			`}`

			`params := url.Values{`
			`"access_token": {accessToken},`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`"limit": {"100"},`
Github provider 2015-05-21 03:23:48 +00:00			`}`

adding enterprise github provider print the error stack trace point to my fork in oauthproxy.go addint pointers to ruta-goomba fork in mulitple files change api endpoint replace hard-coded github api endpoint with variables resetting fall through github urls to point to github.com fix malformed url changes to enable use with enterprise github 2016-01-18 17:33:25 +00:00			`endpoint := p.ValidateURL.Scheme + "://" + p.ValidateURL.Host + "/user/teams?" + params.Encode()`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`req, _ := http.NewRequest("GET", endpoint, nil)`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`req.Header.Set("Accept", "application/vnd.github.v3+json")`
Github provider 2015-05-21 03:23:48 +00:00			`resp, err := http.DefaultClient.Do(req)`
			`if err != nil {`
			`return false, err`
			`}`

			`body, err := ioutil.ReadAll(resp.Body)`
			`resp.Body.Close()`
			`if err != nil {`
			`return false, err`
			`}`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`if resp.StatusCode != 200 {`
			`return false, fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)`
			`}`
Github provider 2015-05-21 03:23:48 +00:00
			`if err := json.Unmarshal(body, &teams); err != nil {`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`return false, fmt.Errorf("%s unmarshaling %s", err, body)`
Github provider 2015-05-21 03:23:48 +00:00			`}`

github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`var hasOrg bool`
			`presentOrgs := make(map[string]bool)`
			`var presentTeams []string`
Github provider 2015-05-21 03:23:48 +00:00			`for _, team := range teams {`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`presentOrgs[team.Org.Login] = true`
Github provider 2015-05-21 03:23:48 +00:00			`if p.Org == team.Org.Login {`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`hasOrg = true`
github provider: allow multiple teams 2016-02-17 10:21:27 +00:00			`ts := strings.Split(p.Team, ",")`
			`for _, t := range ts {`
			`if t == team.Slug {`
			`log.Printf("Found Github Organization:%q Team:%q (Name:%q)", team.Org.Login, team.Slug, team.Name)`
			`return true, nil`
			`}`
Github provider 2015-05-21 03:23:48 +00:00			`}`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`presentTeams = append(presentTeams, team.Slug)`
			`}`
			`}`
			`if hasOrg {`
			`log.Printf("Missing Team:%q from Org:%q in teams: %v", p.Team, p.Org, presentTeams)`
			`} else {`
			`var allOrgs []string`
			`for org, _ := range presentOrgs {`
			`allOrgs = append(allOrgs, org)`
Github provider 2015-05-21 03:23:48 +00:00			`}`
github: better debug output for org/team validation 2015-07-24 20:10:10 +00:00			`log.Printf("Missing Organization:%q in %#v", p.Org, allOrgs)`
Github provider 2015-05-21 03:23:48 +00:00			`}`
			`return false, nil`
			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`func (p GitHubProvider) GetEmailAddress(s SessionState) (string, error) {`
Github provider 2015-05-21 03:23:48 +00:00
			`var emails []struct {`
			Email string `json:"email"`
			Primary bool `json:"primary"`
			`}`

			`// if we require an Org or Team, check that first`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`if p.Org != "" {`
			`if p.Team != "" {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`if ok, err := p.hasOrgAndTeam(s.AccessToken); err != nil \|\| !ok {`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`return "", err`
			`}`
			`} else {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`if ok, err := p.hasOrg(s.AccessToken); err != nil \|\| !ok {`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`return "", err`
			`}`
Github provider 2015-05-21 03:23:48 +00:00			`}`
			`}`

github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`params := url.Values{`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`"access_token": {s.AccessToken},`
github: handle users part of an Org not on a team 2015-06-06 18:03:59 +00:00			`}`
adding enterprise github provider print the error stack trace point to my fork in oauthproxy.go addint pointers to ruta-goomba fork in mulitple files change api endpoint replace hard-coded github api endpoint with variables resetting fall through github urls to point to github.com fix malformed url changes to enable use with enterprise github 2016-01-18 17:33:25 +00:00			`endpoint := p.ValidateURL.Scheme + "://" + p.ValidateURL.Host + p.ValidateURL.Path + "?" + params.Encode()`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`resp, err := http.DefaultClient.Get(endpoint)`
Github provider 2015-05-21 03:23:48 +00:00			`if err != nil {`
			`return "", err`
			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`body, err := ioutil.ReadAll(resp.Body)`
Github provider 2015-05-21 03:23:48 +00:00			`resp.Body.Close()`
			`if err != nil {`
			`return "", err`
			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`if resp.StatusCode != 200 {`
			`return "", fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 11:23:39 +00:00			`} else {`
			`log.Printf("got %d from %q %s", resp.StatusCode, endpoint, body)`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`}`
Github provider 2015-05-21 03:23:48 +00:00
			`if err := json.Unmarshal(body, &emails); err != nil {`
More complete HTTP error logging 2015-06-06 18:15:43 +00:00			`return "", fmt.Errorf("%s unmarshaling %s", err, body)`
Github provider 2015-05-21 03:23:48 +00:00			`}`

			`for _, email := range emails {`
			`if email.Primary {`
			`return email.Email, nil`
			`}`
			`}`

More robust handling for missing email 2015-07-24 20:23:19 +00:00			`return "", nil`
Github provider 2015-05-21 03:23:48 +00:00			`}`