|
|
// Package github implements OAuth2 support for github.com
package github
import ( "context" "crypto/rand" "encoding/hex" "encoding/json" "io/ioutil" "net/http" "net/url"
"github.com/google/go-github/github" "github.com/matrix-org/go-neb/database" "github.com/matrix-org/go-neb/services/github/client" "github.com/matrix-org/go-neb/types" log "github.com/sirupsen/logrus" "maunium.net/go/mautrix/id")
// RealmType of the Github Realm
const RealmType = "github"
// Realm can handle OAuth processes with github.com
//
// Example request:
// {
// "ClientSecret": "YOUR_CLIENT_SECRET",
// "ClientID": "YOUR_CLIENT_ID"
// }
type Realm struct { id string redirectURL string
// The client secret for this Github application.
ClientSecret string // The client ID for this Github application.
ClientID string // Optional. The URL to redirect the client to after authentication.
StarterLink string}
// Session represents an authenticated github session
type Session struct { id string userID id.UserID realmID string
// AccessToken is the github access token for the user
AccessToken string // Scopes are the set of *ALLOWED* scopes (which may not be the same as the requested scopes)
Scopes string // Optional. The client-supplied URL to redirect them to after the auth process is complete.
ClientsRedirectURL string}
// AuthRequest is a request for authenticating with github.com
type AuthRequest struct { // Optional. The URL to redirect to after authentication.
RedirectURL string}
// AuthResponse is a response to an AuthRequest.
type AuthResponse struct { // The URL to visit to perform OAuth on github.com
URL string}
// Authenticated returns true if the user has completed the auth process
func (s *Session) Authenticated() bool { return s.AccessToken != ""}
// Info returns a list of possible repositories that this session can integrate with.
func (s *Session) Info() interface{} { logger := log.WithFields(log.Fields{ "user_id": s.userID, "realm_id": s.realmID, }) cli := client.New(s.AccessToken) var repos []client.TrimmedRepository
opts := &github.RepositoryListOptions{ Type: "all", ListOptions: github.ListOptions{ PerPage: 100, }, } for { // query for a list of possible projects
rs, resp, err := cli.Repositories.List(context.Background(), "", opts) if err != nil { logger.WithError(err).Print("Failed to query github projects on github.com") return nil }
for _, r := range rs { repos = append(repos, client.TrimRepository(r)) }
if resp.NextPage == 0 { break } opts.ListOptions.Page = resp.NextPage logger.Print("Session.Info() Next => ", resp.NextPage) } logger.Print("Session.Info() Returning ", len(repos), " repos")
return struct { Repos []client.TrimmedRepository }{repos}}
// UserID returns the user_id who authorised with Github
func (s *Session) UserID() id.UserID { return s.userID}
// RealmID returns the realm ID of the realm which performed the authentication
func (s *Session) RealmID() string { return s.realmID}
// ID returns the session ID
func (s *Session) ID() string { return s.id}
// ID returns the realm ID
func (r *Realm) ID() string { return r.id}
// Type is github
func (r *Realm) Type() string { return RealmType}
// Init does nothing.
func (r *Realm) Init() error { return nil}
// Register does nothing.
func (r *Realm) Register() error { return nil}
// RequestAuthSession generates an OAuth2 URL for this user to auth with github via.
// The request body is of type "github.AuthRequest". The response is of type "github.AuthResponse".
//
// Request example:
// {
// "RedirectURL": "https://optional-url.com/to/redirect/to/after/auth"
// }
//
// Response example:
// {
// "URL": "https://github.com/login/oauth/authorize?client_id=abcdef&client_secret=acascacac...."
// }
func (r *Realm) RequestAuthSession(userID id.UserID, req json.RawMessage) interface{} { state, err := randomString(10) if err != nil { log.WithError(err).Print("Failed to generate state param") return nil }
u, _ := url.Parse("https://github.com/login/oauth/authorize") q := u.Query() q.Set("client_id", r.ClientID) q.Set("client_secret", r.ClientSecret) q.Set("state", state) q.Set("redirect_uri", r.redirectURL) q.Set("scope", "admin:repo_hook,admin:org_hook,repo") u.RawQuery = q.Encode() session := &Session{ id: state, // key off the state for redirects
userID: userID, realmID: r.ID(), }
// check if they supplied a redirect URL
var reqBody AuthRequest if err = json.Unmarshal(req, &reqBody); err != nil { log.WithError(err).Print("Failed to decode request body") return nil } session.ClientsRedirectURL = reqBody.RedirectURL log.WithFields(log.Fields{ "clients_redirect_url": session.ClientsRedirectURL, "redirect_url": u.String(), }).Print("RequestAuthSession: Performing redirect")
_, err = database.GetServiceDB().StoreAuthSession(session) if err != nil { log.WithError(err).Print("Failed to store new auth session") return nil }
return &AuthResponse{u.String()}}
// OnReceiveRedirect processes OAuth redirect requests from Github
func (r *Realm) OnReceiveRedirect(w http.ResponseWriter, req *http.Request) { // parse out params from the request
code := req.URL.Query().Get("code") state := req.URL.Query().Get("state") logger := log.WithFields(log.Fields{ "state": state, }) logger.WithField("code", code).Print("GithubRealm: OnReceiveRedirect") if code == "" || state == "" { failWith(logger, w, 400, "code and state are required", nil) return } // load the session (we keyed off the state param)
session, err := database.GetServiceDB().LoadAuthSessionByID(r.ID(), state) if err != nil { // most likely cause
failWith(logger, w, 400, "Provided ?state= param is not recognised.", err) return } ghSession, ok := session.(*Session) if !ok { failWith(logger, w, 500, "Unexpected session found.", nil) return } logger.WithField("user_id", ghSession.UserID()).Print("Mapped redirect to user")
if ghSession.AccessToken != "" && ghSession.Scopes != "" { r.redirectOr(w, 400, "You have already authenticated with Github", logger, ghSession) return }
// exchange code for access_token
res, err := http.PostForm("https://github.com/login/oauth/access_token", url.Values{"client_id": {r.ClientID}, "client_secret": {r.ClientSecret}, "code": {code}}) if err != nil { failWith(logger, w, 502, "Failed to exchange code for token", err) return } defer res.Body.Close() body, err := ioutil.ReadAll(res.Body) if err != nil { failWith(logger, w, 502, "Failed to read token response", err) return } vals, err := url.ParseQuery(string(body)) if err != nil { failWith(logger, w, 502, "Failed to parse token response", err) return }
// update database and return
ghSession.AccessToken = vals.Get("access_token") ghSession.Scopes = vals.Get("scope") logger.WithField("scope", ghSession.Scopes).Print("Scopes granted.") _, err = database.GetServiceDB().StoreAuthSession(ghSession) if err != nil { failWith(logger, w, 500, "Failed to persist session", err) return } r.redirectOr( w, 200, "You have successfully linked your Github account to "+ghSession.UserID().String(), logger, ghSession, )}
func (r *Realm) redirectOr(w http.ResponseWriter, code int, msg string, logger *log.Entry, ghSession *Session) { if ghSession.ClientsRedirectURL != "" { w.Header().Set("Location", ghSession.ClientsRedirectURL) w.WriteHeader(302) // technically don't need a body but *shrug*
w.Write([]byte(ghSession.ClientsRedirectURL)) } else { failWith(logger, w, code, msg, nil) }}
// AuthSession returns a Github Session for this user
func (r *Realm) AuthSession(id string, userID id.UserID, realmID string) types.AuthSession { return &Session{ id: id, userID: userID, realmID: realmID, }}
func failWith(logger *log.Entry, w http.ResponseWriter, code int, msg string, err error) { logger.WithError(err).Print(msg) w.WriteHeader(code) w.Write([]byte(msg))}
// Generate a cryptographically secure pseudorandom string with the given number of bytes (length).
// Returns a hex string of the bytes.
func randomString(length int) (string, error) { b := make([]byte, length) _, err := rand.Read(b) if err != nil { return "", err } return hex.EncodeToString(b), nil}
func init() { types.RegisterAuthRealm(func(realmID, redirectURL string) types.AuthRealm { return &Realm{id: realmID, redirectURL: redirectURL} })}
|
