Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148)

Fix #30266 Replace #31533
2025-07-22 18:28:37 +00:00 · 2024-10-02 08:03:19 +08:00
parent 70b7df0e5e
commit 3a4a1bffbe
11 changed files with 933 additions and 888 deletions
--- a/services/auth/source/oauth2/init.go
+++ b/services/auth/source/oauth2/init.go
@@ -30,10 +30,6 @@ const ProviderHeaderKey = "gitea-oauth2-provider"

 // Init initializes the oauth source
 func Init(ctx context.Context) error {
-	if err := InitSigningKey(); err != nil {
-		return err
-	}
-
 	// Lock our mutex
 	gothRWMutex.Lock()

--- a/services/auth/source/oauth2/jwtsigningkey.go
+++ b/services/auth/source/oauth2/jwtsigningkey.go
@@ -1,404 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package oauth2
-
-import (
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
-
-	"github.com/golang-jwt/jwt/v5"
-)
-
-// ErrInvalidAlgorithmType represents an invalid algorithm error.
-type ErrInvalidAlgorithmType struct {
-	Algorithm string
-}
-
-func (err ErrInvalidAlgorithmType) Error() string {
-	return fmt.Sprintf("JWT signing algorithm is not supported: %s", err.Algorithm)
-}
-
-// JWTSigningKey represents a algorithm/key pair to sign JWTs
-type JWTSigningKey interface {
-	IsSymmetric() bool
-	SigningMethod() jwt.SigningMethod
-	SignKey() any
-	VerifyKey() any
-	ToJWK() (map[string]string, error)
-	PreProcessToken(*jwt.Token)
-}
-
-type hmacSigningKey struct {
-	signingMethod jwt.SigningMethod
-	secret        []byte
-}
-
-func (key hmacSigningKey) IsSymmetric() bool {
-	return true
-}
-
-func (key hmacSigningKey) SigningMethod() jwt.SigningMethod {
-	return key.signingMethod
-}
-
-func (key hmacSigningKey) SignKey() any {
-	return key.secret
-}
-
-func (key hmacSigningKey) VerifyKey() any {
-	return key.secret
-}
-
-func (key hmacSigningKey) ToJWK() (map[string]string, error) {
-	return map[string]string{
-		"kty": "oct",
-		"alg": key.SigningMethod().Alg(),
-	}, nil
-}
-
-func (key hmacSigningKey) PreProcessToken(*jwt.Token) {}
-
-type rsaSingingKey struct {
-	signingMethod jwt.SigningMethod
-	key           *rsa.PrivateKey
-	id            string
-}
-
-func newRSASingingKey(signingMethod jwt.SigningMethod, key *rsa.PrivateKey) (rsaSingingKey, error) {
-	kid, err := util.CreatePublicKeyFingerprint(key.Public().(*rsa.PublicKey))
-	if err != nil {
-		return rsaSingingKey{}, err
-	}
-
-	return rsaSingingKey{
-		signingMethod,
-		key,
-		base64.RawURLEncoding.EncodeToString(kid),
-	}, nil
-}
-
-func (key rsaSingingKey) IsSymmetric() bool {
-	return false
-}
-
-func (key rsaSingingKey) SigningMethod() jwt.SigningMethod {
-	return key.signingMethod
-}
-
-func (key rsaSingingKey) SignKey() any {
-	return key.key
-}
-
-func (key rsaSingingKey) VerifyKey() any {
-	return key.key.Public()
-}
-
-func (key rsaSingingKey) ToJWK() (map[string]string, error) {
-	pubKey := key.key.Public().(*rsa.PublicKey)
-
-	return map[string]string{
-		"kty": "RSA",
-		"alg": key.SigningMethod().Alg(),
-		"kid": key.id,
-		"e":   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(pubKey.E)).Bytes()),
-		"n":   base64.RawURLEncoding.EncodeToString(pubKey.N.Bytes()),
-	}, nil
-}
-
-func (key rsaSingingKey) PreProcessToken(token *jwt.Token) {
-	token.Header["kid"] = key.id
-}
-
-type eddsaSigningKey struct {
-	signingMethod jwt.SigningMethod
-	key           ed25519.PrivateKey
-	id            string
-}
-
-func newEdDSASingingKey(signingMethod jwt.SigningMethod, key ed25519.PrivateKey) (eddsaSigningKey, error) {
-	kid, err := util.CreatePublicKeyFingerprint(key.Public().(ed25519.PublicKey))
-	if err != nil {
-		return eddsaSigningKey{}, err
-	}
-
-	return eddsaSigningKey{
-		signingMethod,
-		key,
-		base64.RawURLEncoding.EncodeToString(kid),
-	}, nil
-}
-
-func (key eddsaSigningKey) IsSymmetric() bool {
-	return false
-}
-
-func (key eddsaSigningKey) SigningMethod() jwt.SigningMethod {
-	return key.signingMethod
-}
-
-func (key eddsaSigningKey) SignKey() any {
-	return key.key
-}
-
-func (key eddsaSigningKey) VerifyKey() any {
-	return key.key.Public()
-}
-
-func (key eddsaSigningKey) ToJWK() (map[string]string, error) {
-	pubKey := key.key.Public().(ed25519.PublicKey)
-
-	return map[string]string{
-		"alg": key.SigningMethod().Alg(),
-		"kid": key.id,
-		"kty": "OKP",
-		"crv": "Ed25519",
-		"x":   base64.RawURLEncoding.EncodeToString(pubKey),
-	}, nil
-}
-
-func (key eddsaSigningKey) PreProcessToken(token *jwt.Token) {
-	token.Header["kid"] = key.id
-}
-
-type ecdsaSingingKey struct {
-	signingMethod jwt.SigningMethod
-	key           *ecdsa.PrivateKey
-	id            string
-}
-
-func newECDSASingingKey(signingMethod jwt.SigningMethod, key *ecdsa.PrivateKey) (ecdsaSingingKey, error) {
-	kid, err := util.CreatePublicKeyFingerprint(key.Public().(*ecdsa.PublicKey))
-	if err != nil {
-		return ecdsaSingingKey{}, err
-	}
-
-	return ecdsaSingingKey{
-		signingMethod,
-		key,
-		base64.RawURLEncoding.EncodeToString(kid),
-	}, nil
-}
-
-func (key ecdsaSingingKey) IsSymmetric() bool {
-	return false
-}
-
-func (key ecdsaSingingKey) SigningMethod() jwt.SigningMethod {
-	return key.signingMethod
-}
-
-func (key ecdsaSingingKey) SignKey() any {
-	return key.key
-}
-
-func (key ecdsaSingingKey) VerifyKey() any {
-	return key.key.Public()
-}
-
-func (key ecdsaSingingKey) ToJWK() (map[string]string, error) {
-	pubKey := key.key.Public().(*ecdsa.PublicKey)
-
-	return map[string]string{
-		"kty": "EC",
-		"alg": key.SigningMethod().Alg(),
-		"kid": key.id,
-		"crv": pubKey.Params().Name,
-		"x":   base64.RawURLEncoding.EncodeToString(pubKey.X.Bytes()),
-		"y":   base64.RawURLEncoding.EncodeToString(pubKey.Y.Bytes()),
-	}, nil
-}
-
-func (key ecdsaSingingKey) PreProcessToken(token *jwt.Token) {
-	token.Header["kid"] = key.id
-}
-
-// CreateJWTSigningKey creates a signing key from an algorithm / key pair.
-func CreateJWTSigningKey(algorithm string, key any) (JWTSigningKey, error) {
-	var signingMethod jwt.SigningMethod
-	switch algorithm {
-	case "HS256":
-		signingMethod = jwt.SigningMethodHS256
-	case "HS384":
-		signingMethod = jwt.SigningMethodHS384
-	case "HS512":
-		signingMethod = jwt.SigningMethodHS512
-
-	case "RS256":
-		signingMethod = jwt.SigningMethodRS256
-	case "RS384":
-		signingMethod = jwt.SigningMethodRS384
-	case "RS512":
-		signingMethod = jwt.SigningMethodRS512
-
-	case "ES256":
-		signingMethod = jwt.SigningMethodES256
-	case "ES384":
-		signingMethod = jwt.SigningMethodES384
-	case "ES512":
-		signingMethod = jwt.SigningMethodES512
-	case "EdDSA":
-		signingMethod = jwt.SigningMethodEdDSA
-	default:
-		return nil, ErrInvalidAlgorithmType{algorithm}
-	}
-
-	switch signingMethod.(type) {
-	case *jwt.SigningMethodEd25519:
-		privateKey, ok := key.(ed25519.PrivateKey)
-		if !ok {
-			return nil, jwt.ErrInvalidKeyType
-		}
-		return newEdDSASingingKey(signingMethod, privateKey)
-	case *jwt.SigningMethodECDSA:
-		privateKey, ok := key.(*ecdsa.PrivateKey)
-		if !ok {
-			return nil, jwt.ErrInvalidKeyType
-		}
-		return newECDSASingingKey(signingMethod, privateKey)
-	case *jwt.SigningMethodRSA:
-		privateKey, ok := key.(*rsa.PrivateKey)
-		if !ok {
-			return nil, jwt.ErrInvalidKeyType
-		}
-		return newRSASingingKey(signingMethod, privateKey)
-	default:
-		secret, ok := key.([]byte)
-		if !ok {
-			return nil, jwt.ErrInvalidKeyType
-		}
-		return hmacSigningKey{signingMethod, secret}, nil
-	}
-}
-
-// DefaultSigningKey is the default signing key for JWTs.
-var DefaultSigningKey JWTSigningKey
-
-// InitSigningKey creates the default signing key from settings or creates a random key.
-func InitSigningKey() error {
-	var err error
-	var key any
-
-	switch setting.OAuth2.JWTSigningAlgorithm {
-	case "HS256":
-		fallthrough
-	case "HS384":
-		fallthrough
-	case "HS512":
-		key = setting.GetGeneralTokenSigningSecret()
-	case "RS256":
-		fallthrough
-	case "RS384":
-		fallthrough
-	case "RS512":
-		fallthrough
-	case "ES256":
-		fallthrough
-	case "ES384":
-		fallthrough
-	case "ES512":
-		fallthrough
-	case "EdDSA":
-		key, err = loadOrCreateAsymmetricKey()
-	default:
-		return ErrInvalidAlgorithmType{setting.OAuth2.JWTSigningAlgorithm}
-	}
-
-	if err != nil {
-		return fmt.Errorf("Error while loading or creating JWT key: %w", err)
-	}
-
-	signingKey, err := CreateJWTSigningKey(setting.OAuth2.JWTSigningAlgorithm, key)
-	if err != nil {
-		return err
-	}
-
-	DefaultSigningKey = signingKey
-
-	return nil
-}
-
-// loadOrCreateAsymmetricKey checks if the configured private key exists.
-// If it does not exist a new random key gets generated and saved on the configured path.
-func loadOrCreateAsymmetricKey() (any, error) {
-	keyPath := setting.OAuth2.JWTSigningPrivateKeyFile
-
-	isExist, err := util.IsExist(keyPath)
-	if err != nil {
-		log.Fatal("Unable to check if %s exists. Error: %v", keyPath, err)
-	}
-	if !isExist {
-		err := func() error {
-			key, err := func() (any, error) {
-				switch {
-				case strings.HasPrefix(setting.OAuth2.JWTSigningAlgorithm, "RS"):
-					return rsa.GenerateKey(rand.Reader, 4096)
-				case setting.OAuth2.JWTSigningAlgorithm == "EdDSA":
-					_, pk, err := ed25519.GenerateKey(rand.Reader)
-					return pk, err
-				default:
-					return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-				}
-			}()
-			if err != nil {
-				return err
-			}
-
-			bytes, err := x509.MarshalPKCS8PrivateKey(key)
-			if err != nil {
-				return err
-			}
-
-			privateKeyPEM := &pem.Block{Type: "PRIVATE KEY", Bytes: bytes}
-
-			if err := os.MkdirAll(filepath.Dir(keyPath), os.ModePerm); err != nil {
-				return err
-			}
-
-			f, err := os.OpenFile(keyPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
-			if err != nil {
-				return err
-			}
-			defer func() {
-				if err = f.Close(); err != nil {
-					log.Error("Close: %v", err)
-				}
-			}()
-
-			return pem.Encode(f, privateKeyPEM)
-		}()
-		if err != nil {
-			log.Fatal("Error generating private key: %v", err)
-			return nil, err
-		}
-	}
-
-	bytes, err := os.ReadFile(keyPath)
-	if err != nil {
-		return nil, err
-	}
-
-	block, _ := pem.Decode(bytes)
-	if block == nil {
-		return nil, fmt.Errorf("no valid PEM data found in %s", keyPath)
-	} else if block.Type != "PRIVATE KEY" {
-		return nil, fmt.Errorf("expected PRIVATE KEY, got %s in %s", block.Type, keyPath)
-	}
-
-	return x509.ParsePKCS8PrivateKey(block.Bytes)
-}
--- a/services/auth/source/oauth2/token.go
+++ b/services/auth/source/oauth2/token.go
@@ -1,100 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package oauth2
-
-import (
-	"fmt"
-	"time"
-
-	"code.gitea.io/gitea/modules/timeutil"
-
-	"github.com/golang-jwt/jwt/v5"
-)
-
-// ___________     __
-// \__    ___/___ |  | __ ____   ____
-//   |    | /  _ \|  |/ // __ \ /    \
-//   |    |(  <_> )    <\  ___/|   |  \
-//   |____| \____/|__|_ \\___  >___|  /
-//                     \/    \/     \/
-
-// Token represents an Oauth grant
-
-// TokenType represents the type of token for an oauth application
-type TokenType int
-
-const (
-	// TypeAccessToken is a token with short lifetime to access the api
-	TypeAccessToken TokenType = 0
-	// TypeRefreshToken is token with long lifetime to refresh access tokens obtained by the client
-	TypeRefreshToken = iota
-)
-
-// Token represents a JWT token used to authenticate a client
-type Token struct {
-	GrantID int64     `json:"gnt"`
-	Type    TokenType `json:"tt"`
-	Counter int64     `json:"cnt,omitempty"`
-	jwt.RegisteredClaims
-}
-
-// ParseToken parses a signed jwt string
-func ParseToken(jwtToken string, signingKey JWTSigningKey) (*Token, error) {
-	parsedToken, err := jwt.ParseWithClaims(jwtToken, &Token{}, func(token *jwt.Token) (any, error) {
-		if token.Method == nil || token.Method.Alg() != signingKey.SigningMethod().Alg() {
-			return nil, fmt.Errorf("unexpected signing algo: %v", token.Header["alg"])
-		}
-		return signingKey.VerifyKey(), nil
-	})
-	if err != nil {
-		return nil, err
-	}
-	if !parsedToken.Valid {
-		return nil, fmt.Errorf("invalid token")
-	}
-	var token *Token
-	var ok bool
-	if token, ok = parsedToken.Claims.(*Token); !ok || !parsedToken.Valid {
-		return nil, fmt.Errorf("invalid token")
-	}
-	return token, nil
-}
-
-// SignToken signs the token with the JWT secret
-func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
-	token.IssuedAt = jwt.NewNumericDate(time.Now())
-	jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
-	signingKey.PreProcessToken(jwtToken)
-	return jwtToken.SignedString(signingKey.SignKey())
-}
-
-// OIDCToken represents an OpenID Connect id_token
-type OIDCToken struct {
-	jwt.RegisteredClaims
-	Nonce string `json:"nonce,omitempty"`
-
-	// Scope profile
-	Name              string             `json:"name,omitempty"`
-	PreferredUsername string             `json:"preferred_username,omitempty"`
-	Profile           string             `json:"profile,omitempty"`
-	Picture           string             `json:"picture,omitempty"`
-	Website           string             `json:"website,omitempty"`
-	Locale            string             `json:"locale,omitempty"`
-	UpdatedAt         timeutil.TimeStamp `json:"updated_at,omitempty"`
-
-	// Scope email
-	Email         string `json:"email,omitempty"`
-	EmailVerified bool   `json:"email_verified,omitempty"`
-
-	// Groups are generated by organization and team names
-	Groups []string `json:"groups,omitempty"`
-}
-
-// SignToken signs an id_token with the (symmetric) client secret key
-func (token *OIDCToken) SignToken(signingKey JWTSigningKey) (string, error) {
-	token.IssuedAt = jwt.NewNumericDate(time.Now())
-	jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
-	signingKey.PreProcessToken(jwtToken)
-	return jwtToken.SignedString(signingKey.SignKey())
-}