lavender/server/flow.go

176 lines
5.2 KiB
Go
Raw Normal View History

2023-10-01 21:44:49 +01:00
package server
import (
"context"
2023-10-01 21:44:49 +01:00
_ "embed"
2023-10-04 14:51:38 +01:00
"encoding/json"
"fmt"
2023-10-09 16:29:10 +01:00
"github.com/1f349/lavender/issuer"
"github.com/1f349/lavender/server/pages"
"github.com/MrMelon54/mjwt/auth"
"github.com/MrMelon54/mjwt/claims"
"github.com/golang-jwt/jwt/v4"
"github.com/google/uuid"
2023-10-01 21:44:49 +01:00
"github.com/julienschmidt/httprouter"
"golang.org/x/oauth2"
2023-10-01 21:44:49 +01:00
"net/http"
"net/mail"
2023-10-04 14:51:38 +01:00
"strings"
2023-10-03 23:20:28 +01:00
"time"
2023-10-01 21:44:49 +01:00
)
2023-10-09 00:04:28 +01:00
var uuidNewStringState = uuid.NewString
var uuidNewStringAti = uuid.NewString
var uuidNewStringRti = uuid.NewString
2023-10-09 16:29:10 +01:00
var testOa2Exchange = func(oa2conf oauth2.Config, ctx context.Context, code string) (*oauth2.Token, error) {
return oa2conf.Exchange(ctx, code)
}
var testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
client := oidc.OAuth2Config.Client(ctx, exchange)
return client.Get(oidc.UserInfoEndpoint)
}
2023-10-01 21:44:49 +01:00
func (h *HttpServer) flowPopup(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
2023-10-09 00:04:28 +01:00
pages.RenderPageTemplate(rw, "flow-popup", map[string]any{
2023-10-08 15:24:59 +01:00
"ServiceName": h.conf.ServiceName,
2023-10-04 14:51:38 +01:00
"Origin": req.URL.Query().Get("origin"),
2023-10-01 21:44:49 +01:00
})
}
2023-10-03 23:20:28 +01:00
func (h *HttpServer) flowPopupPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
loginName := req.PostFormValue("loginname")
login := h.manager.FindServiceFromLogin(loginName)
2023-10-01 21:44:49 +01:00
if login == nil {
http.Error(rw, "No login service defined for this username", http.StatusBadRequest)
return
}
// the @ must exist if the service is defined
n := strings.IndexByte(loginName, '@')
loginUn := loginName[:n]
2023-10-01 21:44:49 +01:00
2023-10-04 14:51:38 +01:00
targetOrigin := req.PostFormValue("origin")
if _, found := h.services[targetOrigin]; !found {
http.Error(rw, "Invalid target origin", http.StatusBadRequest)
2023-10-03 23:20:28 +01:00
return
}
// save state for use later
2023-10-09 00:04:28 +01:00
state := login.Config.Namespace + ":" + uuidNewStringState()
2023-10-03 23:20:28 +01:00
h.flowState.Set(state, flowStateData{
login,
2023-10-04 14:51:38 +01:00
targetOrigin,
2023-10-03 23:20:28 +01:00
}, time.Now().Add(15*time.Minute))
2023-10-01 21:44:49 +01:00
2023-10-03 23:20:28 +01:00
// generate oauth2 config and redirect to authorize URL
2023-10-04 14:51:38 +01:00
oa2conf := login.OAuth2Config
2023-10-08 15:24:59 +01:00
oa2conf.RedirectURL = h.conf.BaseUrl + "/callback"
nextUrl := oa2conf.AuthCodeURL(state, oauth2.SetAuthURLParam("login_name", loginUn))
http.Redirect(rw, req, nextUrl, http.StatusFound)
2023-10-01 21:44:49 +01:00
}
2023-10-03 23:20:28 +01:00
func (h *HttpServer) flowCallback(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
err := req.ParseForm()
if err != nil {
http.Error(rw, "Error parsing form", http.StatusBadRequest)
return
}
2023-10-01 21:44:49 +01:00
2023-10-03 23:20:28 +01:00
q := req.URL.Query()
state := q.Get("state")
n := strings.IndexByte(state, ':')
if n == -1 || !h.manager.CheckNamespace(state[:n]) {
2023-10-09 16:29:10 +01:00
http.Error(rw, "Invalid state namespace", http.StatusBadRequest)
2023-10-03 23:20:28 +01:00
return
}
v, found := h.flowState.Get(state)
if !found {
http.Error(rw, "Invalid state", http.StatusBadRequest)
return
}
oa2conf := v.sso.OAuth2Config
2023-10-08 15:24:59 +01:00
oa2conf.RedirectURL = h.conf.BaseUrl + "/callback"
2023-10-09 16:29:10 +01:00
exchange, err := testOa2Exchange(oa2conf, context.Background(), q.Get("code"))
2023-10-04 14:51:38 +01:00
if err != nil {
fmt.Println("Failed exchange:", err)
2023-10-04 14:51:38 +01:00
http.Error(rw, "Failed to exchange code", http.StatusInternalServerError)
return
}
2023-10-09 16:29:10 +01:00
v2, err := testOa2UserInfo(v.sso, req.Context(), exchange)
2023-10-04 14:51:38 +01:00
if err != nil {
fmt.Println("Failed to get userinfo:", err)
2023-10-04 14:51:38 +01:00
http.Error(rw, "Failed to get userinfo", http.StatusInternalServerError)
return
}
defer v2.Body.Close()
if v2.StatusCode != http.StatusOK {
2023-10-09 16:29:10 +01:00
http.Error(rw, "Failed to get userinfo: unexpected status code", http.StatusInternalServerError)
2023-10-04 14:51:38 +01:00
return
}
var v3 map[string]any
if err = json.NewDecoder(v2.Body).Decode(&v3); err != nil {
fmt.Println("Failed to decode userinfo:", err)
2023-10-09 16:29:10 +01:00
http.Error(rw, "Failed to decode userinfo", http.StatusInternalServerError)
2023-10-04 14:51:38 +01:00
return
}
sub, ok := v3["sub"].(string)
if !ok {
2023-10-09 16:29:10 +01:00
http.Error(rw, "Invalid subject in userinfo", http.StatusInternalServerError)
return
}
aud, ok := v3["aud"].(string)
if !ok {
2023-10-09 16:29:10 +01:00
http.Error(rw, "Invalid audience in userinfo", http.StatusInternalServerError)
return
}
ps := claims.NewPermStorage()
if verified, ok := v3["email_verified"].(bool); ok && verified {
if mailAddress, ok := v3["email"].(string); ok {
address, err := mail.ParseAddress(mailAddress)
if err != nil {
http.Error(rw, "Invalid email in userinfo", http.StatusInternalServerError)
return
}
n := strings.IndexByte(address.Address, '@')
if n == -1 {
goto noEmailSupport
}
if address.Address[n+1:] != v.sso.Config.Namespace {
goto noEmailSupport
}
ps.Set("mail-client")
}
}
noEmailSupport:
nsSub := sub + "@" + v.sso.Config.Namespace
2023-10-09 00:04:28 +01:00
ati := uuidNewStringAti()
accessToken, err := h.signer.GenerateJwt(nsSub, ati, jwt.ClaimStrings{aud}, 15*time.Minute, auth.AccessTokenClaims{
Perms: ps,
})
if err != nil {
http.Error(rw, "Error generating access token", http.StatusInternalServerError)
return
}
2023-10-09 00:04:28 +01:00
refreshToken, err := h.signer.GenerateJwt(nsSub, uuidNewStringRti(), jwt.ClaimStrings{aud}, 15*time.Minute, auth.RefreshTokenClaims{AccessTokenId: ati})
if err != nil {
http.Error(rw, "Error generating refresh token", http.StatusInternalServerError)
return
}
2023-10-09 00:04:28 +01:00
pages.RenderPageTemplate(rw, "flow-callback", map[string]any{
2023-10-08 15:24:59 +01:00
"ServiceName": h.conf.ServiceName,
2023-10-04 14:51:38 +01:00
"TargetOrigin": v.targetOrigin,
"TargetMessage": v3,
"AccessToken": accessToken,
"RefreshToken": refreshToken,
2023-10-04 14:51:38 +01:00
})
2023-10-01 21:44:49 +01:00
}