mirror of
				https://github.com/go-gitea/gitea
				synced 2025-10-26 17:08:25 +00:00 
			
		
		
		
	Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148)
Fix #30266 Replace #31533
This commit is contained in:
		| @@ -47,6 +47,7 @@ import ( | ||||
| 	markup_service "code.gitea.io/gitea/services/markup" | ||||
| 	repo_migrations "code.gitea.io/gitea/services/migrations" | ||||
| 	mirror_service "code.gitea.io/gitea/services/mirror" | ||||
| 	"code.gitea.io/gitea/services/oauth2_provider" | ||||
| 	pull_service "code.gitea.io/gitea/services/pull" | ||||
| 	release_service "code.gitea.io/gitea/services/release" | ||||
| 	repo_service "code.gitea.io/gitea/services/repository" | ||||
| @@ -144,7 +145,7 @@ func InitWebInstalled(ctx context.Context) { | ||||
| 	log.Info("ORM engine initialization successful!") | ||||
| 	mustInit(system.Init) | ||||
| 	mustInitCtx(ctx, oauth2.Init) | ||||
|  | ||||
| 	mustInitCtx(ctx, oauth2_provider.Init) | ||||
| 	mustInit(release_service.Init) | ||||
|  | ||||
| 	mustInitCtx(ctx, models.Init) | ||||
|   | ||||
| @@ -4,878 +4,34 @@ | ||||
| package auth | ||||
|  | ||||
| import ( | ||||
| 	go_context "context" | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| 	"html" | ||||
| 	"html/template" | ||||
| 	"io" | ||||
| 	"net/http" | ||||
| 	"net/url" | ||||
| 	"sort" | ||||
| 	"strings" | ||||
|  | ||||
| 	"code.gitea.io/gitea/models/auth" | ||||
| 	org_model "code.gitea.io/gitea/models/organization" | ||||
| 	user_model "code.gitea.io/gitea/models/user" | ||||
| 	auth_module "code.gitea.io/gitea/modules/auth" | ||||
| 	"code.gitea.io/gitea/modules/base" | ||||
| 	"code.gitea.io/gitea/modules/container" | ||||
| 	"code.gitea.io/gitea/modules/json" | ||||
| 	"code.gitea.io/gitea/modules/log" | ||||
| 	"code.gitea.io/gitea/modules/optional" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| 	"code.gitea.io/gitea/modules/timeutil" | ||||
| 	"code.gitea.io/gitea/modules/web" | ||||
| 	"code.gitea.io/gitea/modules/web/middleware" | ||||
| 	auth_service "code.gitea.io/gitea/services/auth" | ||||
| 	source_service "code.gitea.io/gitea/services/auth/source" | ||||
| 	"code.gitea.io/gitea/services/auth/source/oauth2" | ||||
| 	"code.gitea.io/gitea/services/context" | ||||
| 	"code.gitea.io/gitea/services/externalaccount" | ||||
| 	"code.gitea.io/gitea/services/forms" | ||||
| 	user_service "code.gitea.io/gitea/services/user" | ||||
|  | ||||
| 	"gitea.com/go-chi/binding" | ||||
| 	"github.com/golang-jwt/jwt/v5" | ||||
| 	"github.com/markbates/goth" | ||||
| 	"github.com/markbates/goth/gothic" | ||||
| 	go_oauth2 "golang.org/x/oauth2" | ||||
| ) | ||||
|  | ||||
| const ( | ||||
| 	tplGrantAccess base.TplName = "user/auth/grant" | ||||
| 	tplGrantError  base.TplName = "user/auth/grant_error" | ||||
| ) | ||||
|  | ||||
| // TODO move error and responses to SDK or models | ||||
|  | ||||
| // AuthorizeErrorCode represents an error code specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1 | ||||
| type AuthorizeErrorCode string | ||||
|  | ||||
| const ( | ||||
| 	// ErrorCodeInvalidRequest represents the according error in RFC 6749 | ||||
| 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request" | ||||
| 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749 | ||||
| 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client" | ||||
| 	// ErrorCodeAccessDenied represents the according error in RFC 6749 | ||||
| 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied" | ||||
| 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749 | ||||
| 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type" | ||||
| 	// ErrorCodeInvalidScope represents the according error in RFC 6749 | ||||
| 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope" | ||||
| 	// ErrorCodeServerError represents the according error in RFC 6749 | ||||
| 	ErrorCodeServerError AuthorizeErrorCode = "server_error" | ||||
| 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749 | ||||
| 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable" | ||||
| ) | ||||
|  | ||||
| // AuthorizeError represents an error type specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1 | ||||
| type AuthorizeError struct { | ||||
| 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"` | ||||
| 	ErrorDescription string | ||||
| 	State            string | ||||
| } | ||||
|  | ||||
| // Error returns the error message | ||||
| func (err AuthorizeError) Error() string { | ||||
| 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription) | ||||
| } | ||||
|  | ||||
| // AccessTokenErrorCode represents an error code specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | ||||
| type AccessTokenErrorCode string | ||||
|  | ||||
| const ( | ||||
| 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request" | ||||
| 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidClient = "invalid_client" | ||||
| 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidGrant = "invalid_grant" | ||||
| 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client" | ||||
| 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type" | ||||
| 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidScope = "invalid_scope" | ||||
| ) | ||||
|  | ||||
| // AccessTokenError represents an error response specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | ||||
| type AccessTokenError struct { | ||||
| 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"` | ||||
| 	ErrorDescription string               `json:"error_description"` | ||||
| } | ||||
|  | ||||
| // Error returns the error message | ||||
| func (err AccessTokenError) Error() string { | ||||
| 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription) | ||||
| } | ||||
|  | ||||
| // errCallback represents a oauth2 callback error | ||||
| type errCallback struct { | ||||
| 	Code        string | ||||
| 	Description string | ||||
| } | ||||
|  | ||||
| func (err errCallback) Error() string { | ||||
| 	return err.Description | ||||
| } | ||||
|  | ||||
| // TokenType specifies the kind of token | ||||
| type TokenType string | ||||
|  | ||||
| const ( | ||||
| 	// TokenTypeBearer represents a token type specified in RFC 6749 | ||||
| 	TokenTypeBearer TokenType = "bearer" | ||||
| 	// TokenTypeMAC represents a token type specified in RFC 6749 | ||||
| 	TokenTypeMAC = "mac" | ||||
| ) | ||||
|  | ||||
| // AccessTokenResponse represents a successful access token response | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2 | ||||
| type AccessTokenResponse struct { | ||||
| 	AccessToken  string    `json:"access_token"` | ||||
| 	TokenType    TokenType `json:"token_type"` | ||||
| 	ExpiresIn    int64     `json:"expires_in"` | ||||
| 	RefreshToken string    `json:"refresh_token"` | ||||
| 	IDToken      string    `json:"id_token,omitempty"` | ||||
| } | ||||
|  | ||||
| func newAccessTokenResponse(ctx go_context.Context, grant *auth.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { | ||||
| 	if setting.OAuth2.InvalidateRefreshTokens { | ||||
| 		if err := grant.IncreaseCounter(ctx); err != nil { | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidGrant, | ||||
| 				ErrorDescription: "cannot increase the grant counter", | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	// generate access token to access the API | ||||
| 	expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime) | ||||
| 	accessToken := &oauth2.Token{ | ||||
| 		GrantID: grant.ID, | ||||
| 		Type:    oauth2.TypeAccessToken, | ||||
| 		RegisteredClaims: jwt.RegisteredClaims{ | ||||
| 			ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()), | ||||
| 		}, | ||||
| 	} | ||||
| 	signedAccessToken, err := accessToken.SignToken(serverKey) | ||||
| 	if err != nil { | ||||
| 		return nil, &AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "cannot sign token", | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// generate refresh token to request an access token after it expired later | ||||
| 	refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime() | ||||
| 	refreshToken := &oauth2.Token{ | ||||
| 		GrantID: grant.ID, | ||||
| 		Counter: grant.Counter, | ||||
| 		Type:    oauth2.TypeRefreshToken, | ||||
| 		RegisteredClaims: jwt.RegisteredClaims{ | ||||
| 			ExpiresAt: jwt.NewNumericDate(refreshExpirationDate), | ||||
| 		}, | ||||
| 	} | ||||
| 	signedRefreshToken, err := refreshToken.SignToken(serverKey) | ||||
| 	if err != nil { | ||||
| 		return nil, &AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "cannot sign token", | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// generate OpenID Connect id_token | ||||
| 	signedIDToken := "" | ||||
| 	if grant.ScopeContains("openid") { | ||||
| 		app, err := auth.GetOAuth2ApplicationByID(ctx, grant.ApplicationID) | ||||
| 		if err != nil { | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "cannot find application", | ||||
| 			} | ||||
| 		} | ||||
| 		user, err := user_model.GetUserByID(ctx, grant.UserID) | ||||
| 		if err != nil { | ||||
| 			if user_model.IsErrUserNotExist(err) { | ||||
| 				return nil, &AccessTokenError{ | ||||
| 					ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "cannot find user", | ||||
| 				} | ||||
| 			} | ||||
| 			log.Error("Error loading user: %v", err) | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "server error", | ||||
| 			} | ||||
| 		} | ||||
|  | ||||
| 		idToken := &oauth2.OIDCToken{ | ||||
| 			RegisteredClaims: jwt.RegisteredClaims{ | ||||
| 				ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()), | ||||
| 				Issuer:    setting.AppURL, | ||||
| 				Audience:  []string{app.ClientID}, | ||||
| 				Subject:   fmt.Sprint(grant.UserID), | ||||
| 			}, | ||||
| 			Nonce: grant.Nonce, | ||||
| 		} | ||||
| 		if grant.ScopeContains("profile") { | ||||
| 			idToken.Name = user.GetDisplayName() | ||||
| 			idToken.PreferredUsername = user.Name | ||||
| 			idToken.Profile = user.HTMLURL() | ||||
| 			idToken.Picture = user.AvatarLink(ctx) | ||||
| 			idToken.Website = user.Website | ||||
| 			idToken.Locale = user.Language | ||||
| 			idToken.UpdatedAt = user.UpdatedUnix | ||||
| 		} | ||||
| 		if grant.ScopeContains("email") { | ||||
| 			idToken.Email = user.Email | ||||
| 			idToken.EmailVerified = user.IsActive | ||||
| 		} | ||||
| 		if grant.ScopeContains("groups") { | ||||
| 			groups, err := getOAuthGroupsForUser(ctx, user) | ||||
| 			if err != nil { | ||||
| 				log.Error("Error getting groups: %v", err) | ||||
| 				return nil, &AccessTokenError{ | ||||
| 					ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "server error", | ||||
| 				} | ||||
| 			} | ||||
| 			idToken.Groups = groups | ||||
| 		} | ||||
|  | ||||
| 		signedIDToken, err = idToken.SignToken(clientKey) | ||||
| 		if err != nil { | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "cannot sign token", | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	return &AccessTokenResponse{ | ||||
| 		AccessToken:  signedAccessToken, | ||||
| 		TokenType:    TokenTypeBearer, | ||||
| 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime, | ||||
| 		RefreshToken: signedRefreshToken, | ||||
| 		IDToken:      signedIDToken, | ||||
| 	}, nil | ||||
| } | ||||
|  | ||||
| type userInfoResponse struct { | ||||
| 	Sub      string   `json:"sub"` | ||||
| 	Name     string   `json:"name"` | ||||
| 	Username string   `json:"preferred_username"` | ||||
| 	Email    string   `json:"email"` | ||||
| 	Picture  string   `json:"picture"` | ||||
| 	Groups   []string `json:"groups"` | ||||
| } | ||||
|  | ||||
| // InfoOAuth manages request for userinfo endpoint | ||||
| func InfoOAuth(ctx *context.Context) { | ||||
| 	if ctx.Doer == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() { | ||||
| 		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`) | ||||
| 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization") | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	response := &userInfoResponse{ | ||||
| 		Sub:      fmt.Sprint(ctx.Doer.ID), | ||||
| 		Name:     ctx.Doer.FullName, | ||||
| 		Username: ctx.Doer.Name, | ||||
| 		Email:    ctx.Doer.Email, | ||||
| 		Picture:  ctx.Doer.AvatarLink(ctx), | ||||
| 	} | ||||
|  | ||||
| 	groups, err := getOAuthGroupsForUser(ctx, ctx.Doer) | ||||
| 	if err != nil { | ||||
| 		ctx.ServerError("Oauth groups for user", err) | ||||
| 		return | ||||
| 	} | ||||
| 	response.Groups = groups | ||||
|  | ||||
| 	ctx.JSON(http.StatusOK, response) | ||||
| } | ||||
|  | ||||
| // returns a list of "org" and "org:team" strings, | ||||
| // that the given user is a part of. | ||||
| func getOAuthGroupsForUser(ctx go_context.Context, user *user_model.User) ([]string, error) { | ||||
| 	orgs, err := org_model.GetUserOrgsList(ctx, user) | ||||
| 	if err != nil { | ||||
| 		return nil, fmt.Errorf("GetUserOrgList: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	var groups []string | ||||
| 	for _, org := range orgs { | ||||
| 		groups = append(groups, org.Name) | ||||
| 		teams, err := org.LoadTeams(ctx) | ||||
| 		if err != nil { | ||||
| 			return nil, fmt.Errorf("LoadTeams: %w", err) | ||||
| 		} | ||||
| 		for _, team := range teams { | ||||
| 			if team.IsMember(ctx, user.ID) { | ||||
| 				groups = append(groups, org.Name+":"+team.LowerName) | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	return groups, nil | ||||
| } | ||||
|  | ||||
| func parseBasicAuth(ctx *context.Context) (username, password string, err error) { | ||||
| 	authHeader := ctx.Req.Header.Get("Authorization") | ||||
| 	if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") { | ||||
| 		return base.BasicAuthDecode(authData) | ||||
| 	} | ||||
| 	return "", "", errors.New("invalid basic authentication") | ||||
| } | ||||
|  | ||||
| // IntrospectOAuth introspects an oauth token | ||||
| func IntrospectOAuth(ctx *context.Context) { | ||||
| 	clientIDValid := false | ||||
| 	if clientID, clientSecret, err := parseBasicAuth(ctx); err == nil { | ||||
| 		app, err := auth.GetOAuth2ApplicationByClientID(ctx, clientID) | ||||
| 		if err != nil && !auth.IsErrOauthClientIDInvalid(err) { | ||||
| 			// this is likely a database error; log it and respond without details | ||||
| 			log.Error("Error retrieving client_id: %v", err) | ||||
| 			ctx.Error(http.StatusInternalServerError) | ||||
| 			return | ||||
| 		} | ||||
| 		clientIDValid = err == nil && app.ValidateClientSecret([]byte(clientSecret)) | ||||
| 	} | ||||
| 	if !clientIDValid { | ||||
| 		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm=""`) | ||||
| 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization") | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	var response struct { | ||||
| 		Active   bool   `json:"active"` | ||||
| 		Scope    string `json:"scope,omitempty"` | ||||
| 		Username string `json:"username,omitempty"` | ||||
| 		jwt.RegisteredClaims | ||||
| 	} | ||||
|  | ||||
| 	form := web.GetForm(ctx).(*forms.IntrospectTokenForm) | ||||
| 	token, err := oauth2.ParseToken(form.Token, oauth2.DefaultSigningKey) | ||||
| 	if err == nil { | ||||
| 		grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID) | ||||
| 		if err == nil && grant != nil { | ||||
| 			app, err := auth.GetOAuth2ApplicationByID(ctx, grant.ApplicationID) | ||||
| 			if err == nil && app != nil { | ||||
| 				response.Active = true | ||||
| 				response.Scope = grant.Scope | ||||
| 				response.Issuer = setting.AppURL | ||||
| 				response.Audience = []string{app.ClientID} | ||||
| 				response.Subject = fmt.Sprint(grant.UserID) | ||||
| 			} | ||||
| 			if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil { | ||||
| 				response.Username = user.Name | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	ctx.JSON(http.StatusOK, response) | ||||
| } | ||||
|  | ||||
| // AuthorizeOAuth manages authorize requests | ||||
| func AuthorizeOAuth(ctx *context.Context) { | ||||
| 	form := web.GetForm(ctx).(*forms.AuthorizationForm) | ||||
| 	errs := binding.Errors{} | ||||
| 	errs = form.Validate(ctx.Req, errs) | ||||
| 	if len(errs) > 0 { | ||||
| 		errstring := "" | ||||
| 		for _, e := range errs { | ||||
| 			errstring += e.Error() + "\n" | ||||
| 		} | ||||
| 		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring)) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		if auth.IsErrOauthClientIDInvalid(err) { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeUnauthorizedClient, | ||||
| 				ErrorDescription: "Client ID not registered", | ||||
| 				State:            form.State, | ||||
| 			}, "") | ||||
| 			return | ||||
| 		} | ||||
| 		ctx.ServerError("GetOAuth2ApplicationByClientID", err) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	var user *user_model.User | ||||
| 	if app.UID != 0 { | ||||
| 		user, err = user_model.GetUserByID(ctx, app.UID) | ||||
| 		if err != nil { | ||||
| 			ctx.ServerError("GetUserByID", err) | ||||
| 			return | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	if !app.ContainsRedirectURI(form.RedirectURI) { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			ErrorCode:        ErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "Unregistered Redirect URI", | ||||
| 			State:            form.State, | ||||
| 		}, "") | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	if form.ResponseType != "code" { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			ErrorCode:        ErrorCodeUnsupportedResponseType, | ||||
| 			ErrorDescription: "Only code response type is supported.", | ||||
| 			State:            form.State, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// pkce support | ||||
| 	switch form.CodeChallengeMethod { | ||||
| 	case "S256": | ||||
| 	case "plain": | ||||
| 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeServerError, | ||||
| 				ErrorDescription: "cannot set code challenge method", | ||||
| 				State:            form.State, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeServerError, | ||||
| 				ErrorDescription: "cannot set code challenge", | ||||
| 				State:            form.State, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		// Here we're just going to try to release the session early | ||||
| 		if err := ctx.Session.Release(); err != nil { | ||||
| 			// we'll tolerate errors here as they *should* get saved elsewhere | ||||
| 			log.Error("Unable to save changes to the session: %v", err) | ||||
| 		} | ||||
| 	case "": | ||||
| 		// "Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message" | ||||
| 		// https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 | ||||
| 		if !app.ConfidentialClient { | ||||
| 			// "the authorization endpoint MUST return the authorization error response with the "error" value set to "invalid_request"" | ||||
| 			// https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1 | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "PKCE is required for public clients", | ||||
| 				State:            form.State, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 	default: | ||||
| 		// "If the server supporting PKCE does not support the requested transformation, the authorization endpoint MUST return the authorization error response with "error" value set to "invalid_request"." | ||||
| 		// https://www.rfc-editor.org/rfc/rfc7636#section-4.4.1 | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			ErrorCode:        ErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "unsupported code challenge method", | ||||
| 			State:            form.State, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// Redirect if user already granted access and the application is confidential or trusted otherwise | ||||
| 	// I.e. always require authorization for untrusted public clients as recommended by RFC 6749 Section 10.2 | ||||
| 	if (app.ConfidentialClient || app.SkipSecondaryAuthorization) && grant != nil { | ||||
| 		code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod) | ||||
| 		if err != nil { | ||||
| 			handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		redirect, err := code.GenerateRedirectURI(form.State) | ||||
| 		if err != nil { | ||||
| 			handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		// Update nonce to reflect the new session | ||||
| 		if len(form.Nonce) > 0 { | ||||
| 			err := grant.SetNonce(ctx, form.Nonce) | ||||
| 			if err != nil { | ||||
| 				log.Error("Unable to update nonce: %v", err) | ||||
| 			} | ||||
| 		} | ||||
| 		ctx.Redirect(redirect.String()) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// show authorize page to grant access | ||||
| 	ctx.Data["Application"] = app | ||||
| 	ctx.Data["RedirectURI"] = form.RedirectURI | ||||
| 	ctx.Data["State"] = form.State | ||||
| 	ctx.Data["Scope"] = form.Scope | ||||
| 	ctx.Data["Nonce"] = form.Nonce | ||||
| 	if user != nil { | ||||
| 		ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name))) | ||||
| 	} else { | ||||
| 		ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName))) | ||||
| 	} | ||||
| 	ctx.Data["ApplicationRedirectDomainHTML"] = template.HTML("<strong>" + html.EscapeString(form.RedirectURI) + "</strong>") | ||||
| 	// TODO document SESSION <=> FORM | ||||
| 	err = ctx.Session.Set("client_id", app.ClientID) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		log.Error(err.Error()) | ||||
| 		return | ||||
| 	} | ||||
| 	err = ctx.Session.Set("redirect_uri", form.RedirectURI) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		log.Error(err.Error()) | ||||
| 		return | ||||
| 	} | ||||
| 	err = ctx.Session.Set("state", form.State) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		log.Error(err.Error()) | ||||
| 		return | ||||
| 	} | ||||
| 	// Here we're just going to try to release the session early | ||||
| 	if err := ctx.Session.Release(); err != nil { | ||||
| 		// we'll tolerate errors here as they *should* get saved elsewhere | ||||
| 		log.Error("Unable to save changes to the session: %v", err) | ||||
| 	} | ||||
| 	ctx.HTML(http.StatusOK, tplGrantAccess) | ||||
| } | ||||
|  | ||||
| // GrantApplicationOAuth manages the post request submitted when a user grants access to an application | ||||
| func GrantApplicationOAuth(ctx *context.Context) { | ||||
| 	form := web.GetForm(ctx).(*forms.GrantApplicationForm) | ||||
| 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State || | ||||
| 		ctx.Session.Get("redirect_uri") != form.RedirectURI { | ||||
| 		ctx.Error(http.StatusBadRequest) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	if !form.Granted { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			State:            form.State, | ||||
| 			ErrorDescription: "the request is denied", | ||||
| 			ErrorCode:        ErrorCodeAccessDenied, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		ctx.ServerError("GetOAuth2ApplicationByClientID", err) | ||||
| 		return | ||||
| 	} | ||||
| 	grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
| 	if grant == nil { | ||||
| 		grant, err = app.CreateGrant(ctx, ctx.Doer.ID, form.Scope) | ||||
| 		if err != nil { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				State:            form.State, | ||||
| 				ErrorDescription: "cannot create grant for user", | ||||
| 				ErrorCode:        ErrorCodeServerError, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 	} else if grant.Scope != form.Scope { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			State:            form.State, | ||||
| 			ErrorDescription: "a grant exists with different scope", | ||||
| 			ErrorCode:        ErrorCodeServerError, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	if len(form.Nonce) > 0 { | ||||
| 		err := grant.SetNonce(ctx, form.Nonce) | ||||
| 		if err != nil { | ||||
| 			log.Error("Unable to update nonce: %v", err) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	var codeChallenge, codeChallengeMethod string | ||||
| 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string) | ||||
| 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string) | ||||
|  | ||||
| 	code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, codeChallenge, codeChallengeMethod) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
| 	redirect, err := code.GenerateRedirectURI(form.State) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
| 	ctx.Redirect(redirect.String(), http.StatusSeeOther) | ||||
| } | ||||
|  | ||||
| // OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities | ||||
| func OIDCWellKnown(ctx *context.Context) { | ||||
| 	ctx.Data["SigningKey"] = oauth2.DefaultSigningKey | ||||
| 	ctx.JSONTemplate("user/auth/oidc_wellknown") | ||||
| } | ||||
|  | ||||
| // OIDCKeys generates the JSON Web Key Set | ||||
| func OIDCKeys(ctx *context.Context) { | ||||
| 	jwk, err := oauth2.DefaultSigningKey.ToJWK() | ||||
| 	if err != nil { | ||||
| 		log.Error("Error converting signing key to JWK: %v", err) | ||||
| 		ctx.Error(http.StatusInternalServerError) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	jwk["use"] = "sig" | ||||
|  | ||||
| 	jwks := map[string][]map[string]string{ | ||||
| 		"keys": { | ||||
| 			jwk, | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	ctx.Resp.Header().Set("Content-Type", "application/json") | ||||
| 	enc := json.NewEncoder(ctx.Resp) | ||||
| 	if err := enc.Encode(jwks); err != nil { | ||||
| 		log.Error("Failed to encode representation as json. Error: %v", err) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| // AccessTokenOAuth manages all access token requests by the client | ||||
| func AccessTokenOAuth(ctx *context.Context) { | ||||
| 	form := *web.GetForm(ctx).(*forms.AccessTokenForm) | ||||
| 	// if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header | ||||
| 	if form.ClientID == "" || form.ClientSecret == "" { | ||||
| 		authHeader := ctx.Req.Header.Get("Authorization") | ||||
| 		if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") { | ||||
| 			clientID, clientSecret, err := base.BasicAuthDecode(authData) | ||||
| 			if err != nil { | ||||
| 				handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 					ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "cannot parse basic auth header", | ||||
| 				}) | ||||
| 				return | ||||
| 			} | ||||
| 			// validate that any fields present in the form match the Basic auth header | ||||
| 			if form.ClientID != "" && form.ClientID != clientID { | ||||
| 				handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 					ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "client_id in request body inconsistent with Authorization header", | ||||
| 				}) | ||||
| 				return | ||||
| 			} | ||||
| 			form.ClientID = clientID | ||||
| 			if form.ClientSecret != "" && form.ClientSecret != clientSecret { | ||||
| 				handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 					ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "client_secret in request body inconsistent with Authorization header", | ||||
| 				}) | ||||
| 				return | ||||
| 			} | ||||
| 			form.ClientSecret = clientSecret | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	serverKey := oauth2.DefaultSigningKey | ||||
| 	clientKey := serverKey | ||||
| 	if serverKey.IsSymmetric() { | ||||
| 		var err error | ||||
| 		clientKey, err = oauth2.CreateJWTSigningKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret)) | ||||
| 		if err != nil { | ||||
| 			handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "Error creating signing key", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	switch form.GrantType { | ||||
| 	case "refresh_token": | ||||
| 		handleRefreshToken(ctx, form, serverKey, clientKey) | ||||
| 	case "authorization_code": | ||||
| 		handleAuthorizationCode(ctx, form, serverKey, clientKey) | ||||
| 	default: | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType, | ||||
| 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported", | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) { | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidClient, | ||||
| 			ErrorDescription: fmt.Sprintf("cannot load client with client id: %q", form.ClientID), | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// "The authorization server MUST ... require client authentication for confidential clients" | ||||
| 	// https://datatracker.ietf.org/doc/html/rfc6749#section-6 | ||||
| 	if app.ConfidentialClient && !app.ValidateClientSecret([]byte(form.ClientSecret)) { | ||||
| 		errorDescription := "invalid client secret" | ||||
| 		if form.ClientSecret == "" { | ||||
| 			errorDescription = "invalid empty client secret" | ||||
| 		} | ||||
| 		// "invalid_client ... Client authentication failed" | ||||
| 		// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidClient, | ||||
| 			ErrorDescription: errorDescription, | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	token, err := oauth2.ParseToken(form.RefreshToken, serverKey) | ||||
| 	if err != nil { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "unable to parse refresh token", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// get grant before increasing counter | ||||
| 	grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID) | ||||
| 	if err != nil || grant == nil { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidGrant, | ||||
| 			ErrorDescription: "grant does not exist", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// check if token got already used | ||||
| 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "token was already used", | ||||
| 		}) | ||||
| 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID) | ||||
| 		return | ||||
| 	} | ||||
| 	accessToken, tokenErr := newAccessTokenResponse(ctx, grant, serverKey, clientKey) | ||||
| 	if tokenErr != nil { | ||||
| 		handleAccessTokenError(ctx, *tokenErr) | ||||
| 		return | ||||
| 	} | ||||
| 	ctx.JSON(http.StatusOK, accessToken) | ||||
| } | ||||
|  | ||||
| func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) { | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidClient, | ||||
| 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID), | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	if app.ConfidentialClient && !app.ValidateClientSecret([]byte(form.ClientSecret)) { | ||||
| 		errorDescription := "invalid client secret" | ||||
| 		if form.ClientSecret == "" { | ||||
| 			errorDescription = "invalid empty client secret" | ||||
| 		} | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: errorDescription, | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "unexpected redirect URI", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	authorizationCode, err := auth.GetOAuth2AuthorizationByCode(ctx, form.Code) | ||||
| 	if err != nil || authorizationCode == nil { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "client is not authorized", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// check if code verifier authorizes the client, PKCE support | ||||
| 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "failed PKCE code challenge", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// check if granted for this application | ||||
| 	if authorizationCode.Grant.ApplicationID != app.ID { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidGrant, | ||||
| 			ErrorDescription: "invalid grant", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// remove token from database to deny duplicate usage | ||||
| 	if err := authorizationCode.Invalidate(ctx); err != nil { | ||||
| 		handleAccessTokenError(ctx, AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "cannot proceed your request", | ||||
| 		}) | ||||
| 	} | ||||
| 	resp, tokenErr := newAccessTokenResponse(ctx, authorizationCode.Grant, serverKey, clientKey) | ||||
| 	if tokenErr != nil { | ||||
| 		handleAccessTokenError(ctx, *tokenErr) | ||||
| 		return | ||||
| 	} | ||||
| 	// send successful response | ||||
| 	ctx.JSON(http.StatusOK, resp) | ||||
| } | ||||
|  | ||||
| func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) { | ||||
| 	ctx.JSON(http.StatusBadRequest, acErr) | ||||
| } | ||||
|  | ||||
| func handleServerError(ctx *context.Context, state, redirectURI string) { | ||||
| 	handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 		ErrorCode:        ErrorCodeServerError, | ||||
| 		ErrorDescription: "A server error occurred", | ||||
| 		State:            state, | ||||
| 	}, redirectURI) | ||||
| } | ||||
|  | ||||
| func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) { | ||||
| 	if redirectURI == "" { | ||||
| 		log.Warn("Authorization failed: %v", authErr.ErrorDescription) | ||||
| 		ctx.Data["Error"] = authErr | ||||
| 		ctx.HTML(http.StatusBadRequest, tplGrantError) | ||||
| 		return | ||||
| 	} | ||||
| 	redirect, err := url.Parse(redirectURI) | ||||
| 	if err != nil { | ||||
| 		ctx.ServerError("url.Parse", err) | ||||
| 		return | ||||
| 	} | ||||
| 	q := redirect.Query() | ||||
| 	q.Set("error", string(authErr.ErrorCode)) | ||||
| 	q.Set("error_description", authErr.ErrorDescription) | ||||
| 	q.Set("state", authErr.State) | ||||
| 	redirect.RawQuery = q.Encode() | ||||
| 	ctx.Redirect(redirect.String(), http.StatusSeeOther) | ||||
| } | ||||
|  | ||||
| // SignInOAuth handles the OAuth2 login buttons | ||||
| func SignInOAuth(ctx *context.Context) { | ||||
| 	provider := ctx.PathParam(":provider") | ||||
|   | ||||
							
								
								
									
										666
									
								
								routers/web/auth/oauth2_provider.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										666
									
								
								routers/web/auth/oauth2_provider.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,666 @@ | ||||
| // Copyright 2024 The Gitea Authors. All rights reserved. | ||||
| // SPDX-License-Identifier: MIT | ||||
|  | ||||
| package auth | ||||
|  | ||||
| import ( | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| 	"html" | ||||
| 	"html/template" | ||||
| 	"net/http" | ||||
| 	"net/url" | ||||
| 	"strings" | ||||
|  | ||||
| 	"code.gitea.io/gitea/models/auth" | ||||
| 	user_model "code.gitea.io/gitea/models/user" | ||||
| 	"code.gitea.io/gitea/modules/base" | ||||
| 	"code.gitea.io/gitea/modules/json" | ||||
| 	"code.gitea.io/gitea/modules/log" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| 	"code.gitea.io/gitea/modules/web" | ||||
| 	auth_service "code.gitea.io/gitea/services/auth" | ||||
| 	"code.gitea.io/gitea/services/context" | ||||
| 	"code.gitea.io/gitea/services/forms" | ||||
| 	"code.gitea.io/gitea/services/oauth2_provider" | ||||
|  | ||||
| 	"gitea.com/go-chi/binding" | ||||
| 	jwt "github.com/golang-jwt/jwt/v5" | ||||
| ) | ||||
|  | ||||
| const ( | ||||
| 	tplGrantAccess base.TplName = "user/auth/grant" | ||||
| 	tplGrantError  base.TplName = "user/auth/grant_error" | ||||
| ) | ||||
|  | ||||
| // TODO move error and responses to SDK or models | ||||
|  | ||||
| // AuthorizeErrorCode represents an error code specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1 | ||||
| type AuthorizeErrorCode string | ||||
|  | ||||
| const ( | ||||
| 	// ErrorCodeInvalidRequest represents the according error in RFC 6749 | ||||
| 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request" | ||||
| 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749 | ||||
| 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client" | ||||
| 	// ErrorCodeAccessDenied represents the according error in RFC 6749 | ||||
| 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied" | ||||
| 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749 | ||||
| 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type" | ||||
| 	// ErrorCodeInvalidScope represents the according error in RFC 6749 | ||||
| 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope" | ||||
| 	// ErrorCodeServerError represents the according error in RFC 6749 | ||||
| 	ErrorCodeServerError AuthorizeErrorCode = "server_error" | ||||
| 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749 | ||||
| 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable" | ||||
| ) | ||||
|  | ||||
| // AuthorizeError represents an error type specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1 | ||||
| type AuthorizeError struct { | ||||
| 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"` | ||||
| 	ErrorDescription string | ||||
| 	State            string | ||||
| } | ||||
|  | ||||
| // Error returns the error message | ||||
| func (err AuthorizeError) Error() string { | ||||
| 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription) | ||||
| } | ||||
|  | ||||
| // errCallback represents a oauth2 callback error | ||||
| type errCallback struct { | ||||
| 	Code        string | ||||
| 	Description string | ||||
| } | ||||
|  | ||||
| func (err errCallback) Error() string { | ||||
| 	return err.Description | ||||
| } | ||||
|  | ||||
| type userInfoResponse struct { | ||||
| 	Sub      string   `json:"sub"` | ||||
| 	Name     string   `json:"name"` | ||||
| 	Username string   `json:"preferred_username"` | ||||
| 	Email    string   `json:"email"` | ||||
| 	Picture  string   `json:"picture"` | ||||
| 	Groups   []string `json:"groups"` | ||||
| } | ||||
|  | ||||
| // InfoOAuth manages request for userinfo endpoint | ||||
| func InfoOAuth(ctx *context.Context) { | ||||
| 	if ctx.Doer == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() { | ||||
| 		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`) | ||||
| 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization") | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	response := &userInfoResponse{ | ||||
| 		Sub:      fmt.Sprint(ctx.Doer.ID), | ||||
| 		Name:     ctx.Doer.FullName, | ||||
| 		Username: ctx.Doer.Name, | ||||
| 		Email:    ctx.Doer.Email, | ||||
| 		Picture:  ctx.Doer.AvatarLink(ctx), | ||||
| 	} | ||||
|  | ||||
| 	groups, err := oauth2_provider.GetOAuthGroupsForUser(ctx, ctx.Doer) | ||||
| 	if err != nil { | ||||
| 		ctx.ServerError("Oauth groups for user", err) | ||||
| 		return | ||||
| 	} | ||||
| 	response.Groups = groups | ||||
|  | ||||
| 	ctx.JSON(http.StatusOK, response) | ||||
| } | ||||
|  | ||||
| func parseBasicAuth(ctx *context.Context) (username, password string, err error) { | ||||
| 	authHeader := ctx.Req.Header.Get("Authorization") | ||||
| 	if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") { | ||||
| 		return base.BasicAuthDecode(authData) | ||||
| 	} | ||||
| 	return "", "", errors.New("invalid basic authentication") | ||||
| } | ||||
|  | ||||
| // IntrospectOAuth introspects an oauth token | ||||
| func IntrospectOAuth(ctx *context.Context) { | ||||
| 	clientIDValid := false | ||||
| 	if clientID, clientSecret, err := parseBasicAuth(ctx); err == nil { | ||||
| 		app, err := auth.GetOAuth2ApplicationByClientID(ctx, clientID) | ||||
| 		if err != nil && !auth.IsErrOauthClientIDInvalid(err) { | ||||
| 			// this is likely a database error; log it and respond without details | ||||
| 			log.Error("Error retrieving client_id: %v", err) | ||||
| 			ctx.Error(http.StatusInternalServerError) | ||||
| 			return | ||||
| 		} | ||||
| 		clientIDValid = err == nil && app.ValidateClientSecret([]byte(clientSecret)) | ||||
| 	} | ||||
| 	if !clientIDValid { | ||||
| 		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm=""`) | ||||
| 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization") | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	var response struct { | ||||
| 		Active   bool   `json:"active"` | ||||
| 		Scope    string `json:"scope,omitempty"` | ||||
| 		Username string `json:"username,omitempty"` | ||||
| 		jwt.RegisteredClaims | ||||
| 	} | ||||
|  | ||||
| 	form := web.GetForm(ctx).(*forms.IntrospectTokenForm) | ||||
| 	token, err := oauth2_provider.ParseToken(form.Token, oauth2_provider.DefaultSigningKey) | ||||
| 	if err == nil { | ||||
| 		grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID) | ||||
| 		if err == nil && grant != nil { | ||||
| 			app, err := auth.GetOAuth2ApplicationByID(ctx, grant.ApplicationID) | ||||
| 			if err == nil && app != nil { | ||||
| 				response.Active = true | ||||
| 				response.Scope = grant.Scope | ||||
| 				response.Issuer = setting.AppURL | ||||
| 				response.Audience = []string{app.ClientID} | ||||
| 				response.Subject = fmt.Sprint(grant.UserID) | ||||
| 			} | ||||
| 			if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil { | ||||
| 				response.Username = user.Name | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	ctx.JSON(http.StatusOK, response) | ||||
| } | ||||
|  | ||||
| // AuthorizeOAuth manages authorize requests | ||||
| func AuthorizeOAuth(ctx *context.Context) { | ||||
| 	form := web.GetForm(ctx).(*forms.AuthorizationForm) | ||||
| 	errs := binding.Errors{} | ||||
| 	errs = form.Validate(ctx.Req, errs) | ||||
| 	if len(errs) > 0 { | ||||
| 		errstring := "" | ||||
| 		for _, e := range errs { | ||||
| 			errstring += e.Error() + "\n" | ||||
| 		} | ||||
| 		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring)) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		if auth.IsErrOauthClientIDInvalid(err) { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeUnauthorizedClient, | ||||
| 				ErrorDescription: "Client ID not registered", | ||||
| 				State:            form.State, | ||||
| 			}, "") | ||||
| 			return | ||||
| 		} | ||||
| 		ctx.ServerError("GetOAuth2ApplicationByClientID", err) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	var user *user_model.User | ||||
| 	if app.UID != 0 { | ||||
| 		user, err = user_model.GetUserByID(ctx, app.UID) | ||||
| 		if err != nil { | ||||
| 			ctx.ServerError("GetUserByID", err) | ||||
| 			return | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	if !app.ContainsRedirectURI(form.RedirectURI) { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			ErrorCode:        ErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "Unregistered Redirect URI", | ||||
| 			State:            form.State, | ||||
| 		}, "") | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	if form.ResponseType != "code" { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			ErrorCode:        ErrorCodeUnsupportedResponseType, | ||||
| 			ErrorDescription: "Only code response type is supported.", | ||||
| 			State:            form.State, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// pkce support | ||||
| 	switch form.CodeChallengeMethod { | ||||
| 	case "S256": | ||||
| 	case "plain": | ||||
| 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeServerError, | ||||
| 				ErrorDescription: "cannot set code challenge method", | ||||
| 				State:            form.State, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeServerError, | ||||
| 				ErrorDescription: "cannot set code challenge", | ||||
| 				State:            form.State, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		// Here we're just going to try to release the session early | ||||
| 		if err := ctx.Session.Release(); err != nil { | ||||
| 			// we'll tolerate errors here as they *should* get saved elsewhere | ||||
| 			log.Error("Unable to save changes to the session: %v", err) | ||||
| 		} | ||||
| 	case "": | ||||
| 		// "Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message" | ||||
| 		// https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 | ||||
| 		if !app.ConfidentialClient { | ||||
| 			// "the authorization endpoint MUST return the authorization error response with the "error" value set to "invalid_request"" | ||||
| 			// https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1 | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				ErrorCode:        ErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "PKCE is required for public clients", | ||||
| 				State:            form.State, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 	default: | ||||
| 		// "If the server supporting PKCE does not support the requested transformation, the authorization endpoint MUST return the authorization error response with "error" value set to "invalid_request"." | ||||
| 		// https://www.rfc-editor.org/rfc/rfc7636#section-4.4.1 | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			ErrorCode:        ErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "unsupported code challenge method", | ||||
| 			State:            form.State, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// Redirect if user already granted access and the application is confidential or trusted otherwise | ||||
| 	// I.e. always require authorization for untrusted public clients as recommended by RFC 6749 Section 10.2 | ||||
| 	if (app.ConfidentialClient || app.SkipSecondaryAuthorization) && grant != nil { | ||||
| 		code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod) | ||||
| 		if err != nil { | ||||
| 			handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		redirect, err := code.GenerateRedirectURI(form.State) | ||||
| 		if err != nil { | ||||
| 			handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 		// Update nonce to reflect the new session | ||||
| 		if len(form.Nonce) > 0 { | ||||
| 			err := grant.SetNonce(ctx, form.Nonce) | ||||
| 			if err != nil { | ||||
| 				log.Error("Unable to update nonce: %v", err) | ||||
| 			} | ||||
| 		} | ||||
| 		ctx.Redirect(redirect.String()) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// show authorize page to grant access | ||||
| 	ctx.Data["Application"] = app | ||||
| 	ctx.Data["RedirectURI"] = form.RedirectURI | ||||
| 	ctx.Data["State"] = form.State | ||||
| 	ctx.Data["Scope"] = form.Scope | ||||
| 	ctx.Data["Nonce"] = form.Nonce | ||||
| 	if user != nil { | ||||
| 		ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name))) | ||||
| 	} else { | ||||
| 		ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName))) | ||||
| 	} | ||||
| 	ctx.Data["ApplicationRedirectDomainHTML"] = template.HTML("<strong>" + html.EscapeString(form.RedirectURI) + "</strong>") | ||||
| 	// TODO document SESSION <=> FORM | ||||
| 	err = ctx.Session.Set("client_id", app.ClientID) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		log.Error(err.Error()) | ||||
| 		return | ||||
| 	} | ||||
| 	err = ctx.Session.Set("redirect_uri", form.RedirectURI) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		log.Error(err.Error()) | ||||
| 		return | ||||
| 	} | ||||
| 	err = ctx.Session.Set("state", form.State) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		log.Error(err.Error()) | ||||
| 		return | ||||
| 	} | ||||
| 	// Here we're just going to try to release the session early | ||||
| 	if err := ctx.Session.Release(); err != nil { | ||||
| 		// we'll tolerate errors here as they *should* get saved elsewhere | ||||
| 		log.Error("Unable to save changes to the session: %v", err) | ||||
| 	} | ||||
| 	ctx.HTML(http.StatusOK, tplGrantAccess) | ||||
| } | ||||
|  | ||||
| // GrantApplicationOAuth manages the post request submitted when a user grants access to an application | ||||
| func GrantApplicationOAuth(ctx *context.Context) { | ||||
| 	form := web.GetForm(ctx).(*forms.GrantApplicationForm) | ||||
| 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State || | ||||
| 		ctx.Session.Get("redirect_uri") != form.RedirectURI { | ||||
| 		ctx.Error(http.StatusBadRequest) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	if !form.Granted { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			State:            form.State, | ||||
| 			ErrorDescription: "the request is denied", | ||||
| 			ErrorCode:        ErrorCodeAccessDenied, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		ctx.ServerError("GetOAuth2ApplicationByClientID", err) | ||||
| 		return | ||||
| 	} | ||||
| 	grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
| 	if grant == nil { | ||||
| 		grant, err = app.CreateGrant(ctx, ctx.Doer.ID, form.Scope) | ||||
| 		if err != nil { | ||||
| 			handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 				State:            form.State, | ||||
| 				ErrorDescription: "cannot create grant for user", | ||||
| 				ErrorCode:        ErrorCodeServerError, | ||||
| 			}, form.RedirectURI) | ||||
| 			return | ||||
| 		} | ||||
| 	} else if grant.Scope != form.Scope { | ||||
| 		handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 			State:            form.State, | ||||
| 			ErrorDescription: "a grant exists with different scope", | ||||
| 			ErrorCode:        ErrorCodeServerError, | ||||
| 		}, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	if len(form.Nonce) > 0 { | ||||
| 		err := grant.SetNonce(ctx, form.Nonce) | ||||
| 		if err != nil { | ||||
| 			log.Error("Unable to update nonce: %v", err) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	var codeChallenge, codeChallengeMethod string | ||||
| 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string) | ||||
| 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string) | ||||
|  | ||||
| 	code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, codeChallenge, codeChallengeMethod) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
| 	redirect, err := code.GenerateRedirectURI(form.State) | ||||
| 	if err != nil { | ||||
| 		handleServerError(ctx, form.State, form.RedirectURI) | ||||
| 		return | ||||
| 	} | ||||
| 	ctx.Redirect(redirect.String(), http.StatusSeeOther) | ||||
| } | ||||
|  | ||||
| // OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities | ||||
| func OIDCWellKnown(ctx *context.Context) { | ||||
| 	ctx.Data["SigningKey"] = oauth2_provider.DefaultSigningKey | ||||
| 	ctx.JSONTemplate("user/auth/oidc_wellknown") | ||||
| } | ||||
|  | ||||
| // OIDCKeys generates the JSON Web Key Set | ||||
| func OIDCKeys(ctx *context.Context) { | ||||
| 	jwk, err := oauth2_provider.DefaultSigningKey.ToJWK() | ||||
| 	if err != nil { | ||||
| 		log.Error("Error converting signing key to JWK: %v", err) | ||||
| 		ctx.Error(http.StatusInternalServerError) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	jwk["use"] = "sig" | ||||
|  | ||||
| 	jwks := map[string][]map[string]string{ | ||||
| 		"keys": { | ||||
| 			jwk, | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	ctx.Resp.Header().Set("Content-Type", "application/json") | ||||
| 	enc := json.NewEncoder(ctx.Resp) | ||||
| 	if err := enc.Encode(jwks); err != nil { | ||||
| 		log.Error("Failed to encode representation as json. Error: %v", err) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| // AccessTokenOAuth manages all access token requests by the client | ||||
| func AccessTokenOAuth(ctx *context.Context) { | ||||
| 	form := *web.GetForm(ctx).(*forms.AccessTokenForm) | ||||
| 	// if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header | ||||
| 	if form.ClientID == "" || form.ClientSecret == "" { | ||||
| 		authHeader := ctx.Req.Header.Get("Authorization") | ||||
| 		if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") { | ||||
| 			clientID, clientSecret, err := base.BasicAuthDecode(authData) | ||||
| 			if err != nil { | ||||
| 				handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 					ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "cannot parse basic auth header", | ||||
| 				}) | ||||
| 				return | ||||
| 			} | ||||
| 			// validate that any fields present in the form match the Basic auth header | ||||
| 			if form.ClientID != "" && form.ClientID != clientID { | ||||
| 				handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 					ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "client_id in request body inconsistent with Authorization header", | ||||
| 				}) | ||||
| 				return | ||||
| 			} | ||||
| 			form.ClientID = clientID | ||||
| 			if form.ClientSecret != "" && form.ClientSecret != clientSecret { | ||||
| 				handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 					ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "client_secret in request body inconsistent with Authorization header", | ||||
| 				}) | ||||
| 				return | ||||
| 			} | ||||
| 			form.ClientSecret = clientSecret | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	serverKey := oauth2_provider.DefaultSigningKey | ||||
| 	clientKey := serverKey | ||||
| 	if serverKey.IsSymmetric() { | ||||
| 		var err error | ||||
| 		clientKey, err = oauth2_provider.CreateJWTSigningKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret)) | ||||
| 		if err != nil { | ||||
| 			handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 				ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "Error creating signing key", | ||||
| 			}) | ||||
| 			return | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	switch form.GrantType { | ||||
| 	case "refresh_token": | ||||
| 		handleRefreshToken(ctx, form, serverKey, clientKey) | ||||
| 	case "authorization_code": | ||||
| 		handleAuthorizationCode(ctx, form, serverKey, clientKey) | ||||
| 	default: | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeUnsupportedGrantType, | ||||
| 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported", | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2_provider.JWTSigningKey) { | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidClient, | ||||
| 			ErrorDescription: fmt.Sprintf("cannot load client with client id: %q", form.ClientID), | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// "The authorization server MUST ... require client authentication for confidential clients" | ||||
| 	// https://datatracker.ietf.org/doc/html/rfc6749#section-6 | ||||
| 	if app.ConfidentialClient && !app.ValidateClientSecret([]byte(form.ClientSecret)) { | ||||
| 		errorDescription := "invalid client secret" | ||||
| 		if form.ClientSecret == "" { | ||||
| 			errorDescription = "invalid empty client secret" | ||||
| 		} | ||||
| 		// "invalid_client ... Client authentication failed" | ||||
| 		// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidClient, | ||||
| 			ErrorDescription: errorDescription, | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	token, err := oauth2_provider.ParseToken(form.RefreshToken, serverKey) | ||||
| 	if err != nil { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "unable to parse refresh token", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// get grant before increasing counter | ||||
| 	grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID) | ||||
| 	if err != nil || grant == nil { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidGrant, | ||||
| 			ErrorDescription: "grant does not exist", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	// check if token got already used | ||||
| 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "token was already used", | ||||
| 		}) | ||||
| 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID) | ||||
| 		return | ||||
| 	} | ||||
| 	accessToken, tokenErr := oauth2_provider.NewAccessTokenResponse(ctx, grant, serverKey, clientKey) | ||||
| 	if tokenErr != nil { | ||||
| 		handleAccessTokenError(ctx, *tokenErr) | ||||
| 		return | ||||
| 	} | ||||
| 	ctx.JSON(http.StatusOK, accessToken) | ||||
| } | ||||
|  | ||||
| func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2_provider.JWTSigningKey) { | ||||
| 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) | ||||
| 	if err != nil { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidClient, | ||||
| 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID), | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	if app.ConfidentialClient && !app.ValidateClientSecret([]byte(form.ClientSecret)) { | ||||
| 		errorDescription := "invalid client secret" | ||||
| 		if form.ClientSecret == "" { | ||||
| 			errorDescription = "invalid empty client secret" | ||||
| 		} | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: errorDescription, | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "unexpected redirect URI", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	authorizationCode, err := auth.GetOAuth2AuthorizationByCode(ctx, form.Code) | ||||
| 	if err != nil || authorizationCode == nil { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "client is not authorized", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// check if code verifier authorizes the client, PKCE support | ||||
| 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, | ||||
| 			ErrorDescription: "failed PKCE code challenge", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// check if granted for this application | ||||
| 	if authorizationCode.Grant.ApplicationID != app.ID { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidGrant, | ||||
| 			ErrorDescription: "invalid grant", | ||||
| 		}) | ||||
| 		return | ||||
| 	} | ||||
| 	// remove token from database to deny duplicate usage | ||||
| 	if err := authorizationCode.Invalidate(ctx); err != nil { | ||||
| 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ | ||||
| 			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "cannot proceed your request", | ||||
| 		}) | ||||
| 	} | ||||
| 	resp, tokenErr := oauth2_provider.NewAccessTokenResponse(ctx, authorizationCode.Grant, serverKey, clientKey) | ||||
| 	if tokenErr != nil { | ||||
| 		handleAccessTokenError(ctx, *tokenErr) | ||||
| 		return | ||||
| 	} | ||||
| 	// send successful response | ||||
| 	ctx.JSON(http.StatusOK, resp) | ||||
| } | ||||
|  | ||||
| func handleAccessTokenError(ctx *context.Context, acErr oauth2_provider.AccessTokenError) { | ||||
| 	ctx.JSON(http.StatusBadRequest, acErr) | ||||
| } | ||||
|  | ||||
| func handleServerError(ctx *context.Context, state, redirectURI string) { | ||||
| 	handleAuthorizeError(ctx, AuthorizeError{ | ||||
| 		ErrorCode:        ErrorCodeServerError, | ||||
| 		ErrorDescription: "A server error occurred", | ||||
| 		State:            state, | ||||
| 	}, redirectURI) | ||||
| } | ||||
|  | ||||
| func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) { | ||||
| 	if redirectURI == "" { | ||||
| 		log.Warn("Authorization failed: %v", authErr.ErrorDescription) | ||||
| 		ctx.Data["Error"] = authErr | ||||
| 		ctx.HTML(http.StatusBadRequest, tplGrantError) | ||||
| 		return | ||||
| 	} | ||||
| 	redirect, err := url.Parse(redirectURI) | ||||
| 	if err != nil { | ||||
| 		ctx.ServerError("url.Parse", err) | ||||
| 		return | ||||
| 	} | ||||
| 	q := redirect.Query() | ||||
| 	q.Set("error", string(authErr.ErrorCode)) | ||||
| 	q.Set("error_description", authErr.ErrorDescription) | ||||
| 	q.Set("state", authErr.State) | ||||
| 	redirect.RawQuery = q.Encode() | ||||
| 	ctx.Redirect(redirect.String(), http.StatusSeeOther) | ||||
| } | ||||
| @@ -11,22 +11,22 @@ import ( | ||||
| 	"code.gitea.io/gitea/models/unittest" | ||||
| 	user_model "code.gitea.io/gitea/models/user" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| 	"code.gitea.io/gitea/services/auth/source/oauth2" | ||||
| 	"code.gitea.io/gitea/services/oauth2_provider" | ||||
|  | ||||
| 	"github.com/golang-jwt/jwt/v5" | ||||
| 	"github.com/stretchr/testify/assert" | ||||
| ) | ||||
|  | ||||
| func createAndParseToken(t *testing.T, grant *auth.OAuth2Grant) *oauth2.OIDCToken { | ||||
| 	signingKey, err := oauth2.CreateJWTSigningKey("HS256", make([]byte, 32)) | ||||
| func createAndParseToken(t *testing.T, grant *auth.OAuth2Grant) *oauth2_provider.OIDCToken { | ||||
| 	signingKey, err := oauth2_provider.CreateJWTSigningKey("HS256", make([]byte, 32)) | ||||
| 	assert.NoError(t, err) | ||||
| 	assert.NotNil(t, signingKey) | ||||
|  | ||||
| 	response, terr := newAccessTokenResponse(db.DefaultContext, grant, signingKey, signingKey) | ||||
| 	response, terr := oauth2_provider.NewAccessTokenResponse(db.DefaultContext, grant, signingKey, signingKey) | ||||
| 	assert.Nil(t, terr) | ||||
| 	assert.NotNil(t, response) | ||||
|  | ||||
| 	parsedToken, err := jwt.ParseWithClaims(response.IDToken, &oauth2.OIDCToken{}, func(token *jwt.Token) (any, error) { | ||||
| 	parsedToken, err := jwt.ParseWithClaims(response.IDToken, &oauth2_provider.OIDCToken{}, func(token *jwt.Token) (any, error) { | ||||
| 		assert.NotNil(t, token.Method) | ||||
| 		assert.Equal(t, signingKey.SigningMethod().Alg(), token.Method.Alg()) | ||||
| 		return signingKey.VerifyKey(), nil | ||||
| @@ -34,7 +34,7 @@ func createAndParseToken(t *testing.T, grant *auth.OAuth2Grant) *oauth2.OIDCToke | ||||
| 	assert.NoError(t, err) | ||||
| 	assert.True(t, parsedToken.Valid) | ||||
|  | ||||
| 	oidcToken, ok := parsedToken.Claims.(*oauth2.OIDCToken) | ||||
| 	oidcToken, ok := parsedToken.Claims.(*oauth2_provider.OIDCToken) | ||||
| 	assert.True(t, ok) | ||||
| 	assert.NotNil(t, oidcToken) | ||||
|  | ||||
|   | ||||
| @@ -17,7 +17,7 @@ import ( | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| 	"code.gitea.io/gitea/modules/timeutil" | ||||
| 	"code.gitea.io/gitea/modules/web/middleware" | ||||
| 	"code.gitea.io/gitea/services/auth/source/oauth2" | ||||
| 	"code.gitea.io/gitea/services/oauth2_provider" | ||||
| ) | ||||
|  | ||||
| // Ensure the struct implements the interface. | ||||
| @@ -31,7 +31,7 @@ func CheckOAuthAccessToken(ctx context.Context, accessToken string) int64 { | ||||
| 	if !strings.Contains(accessToken, ".") { | ||||
| 		return 0 | ||||
| 	} | ||||
| 	token, err := oauth2.ParseToken(accessToken, oauth2.DefaultSigningKey) | ||||
| 	token, err := oauth2_provider.ParseToken(accessToken, oauth2_provider.DefaultSigningKey) | ||||
| 	if err != nil { | ||||
| 		log.Trace("oauth2.ParseToken: %v", err) | ||||
| 		return 0 | ||||
| @@ -40,7 +40,7 @@ func CheckOAuthAccessToken(ctx context.Context, accessToken string) int64 { | ||||
| 	if grant, err = auth_model.GetOAuth2GrantByID(ctx, token.GrantID); err != nil || grant == nil { | ||||
| 		return 0 | ||||
| 	} | ||||
| 	if token.Type != oauth2.TypeAccessToken { | ||||
| 	if token.Kind != oauth2_provider.KindAccessToken { | ||||
| 		return 0 | ||||
| 	} | ||||
| 	if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) { | ||||
|   | ||||
| @@ -30,10 +30,6 @@ const ProviderHeaderKey = "gitea-oauth2-provider" | ||||
|  | ||||
| // Init initializes the oauth source | ||||
| func Init(ctx context.Context) error { | ||||
| 	if err := InitSigningKey(); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
|  | ||||
| 	// Lock our mutex | ||||
| 	gothRWMutex.Lock() | ||||
|  | ||||
|   | ||||
							
								
								
									
										214
									
								
								services/oauth2_provider/access_token.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										214
									
								
								services/oauth2_provider/access_token.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,214 @@ | ||||
| // Copyright 2024 The Gitea Authors. All rights reserved. | ||||
| // SPDX-License-Identifier: MIT | ||||
|  | ||||
| package oauth2_provider //nolint | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"fmt" | ||||
|  | ||||
| 	auth "code.gitea.io/gitea/models/auth" | ||||
| 	org_model "code.gitea.io/gitea/models/organization" | ||||
| 	user_model "code.gitea.io/gitea/models/user" | ||||
| 	"code.gitea.io/gitea/modules/log" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| 	"code.gitea.io/gitea/modules/timeutil" | ||||
|  | ||||
| 	"github.com/golang-jwt/jwt/v5" | ||||
| ) | ||||
|  | ||||
| // AccessTokenErrorCode represents an error code specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | ||||
| type AccessTokenErrorCode string | ||||
|  | ||||
| const ( | ||||
| 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request" | ||||
| 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidClient = "invalid_client" | ||||
| 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidGrant = "invalid_grant" | ||||
| 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client" | ||||
| 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type" | ||||
| 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749 | ||||
| 	AccessTokenErrorCodeInvalidScope = "invalid_scope" | ||||
| ) | ||||
|  | ||||
| // AccessTokenError represents an error response specified in RFC 6749 | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | ||||
| type AccessTokenError struct { | ||||
| 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"` | ||||
| 	ErrorDescription string               `json:"error_description"` | ||||
| } | ||||
|  | ||||
| // Error returns the error message | ||||
| func (err AccessTokenError) Error() string { | ||||
| 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription) | ||||
| } | ||||
|  | ||||
| // TokenType specifies the kind of token | ||||
| type TokenType string | ||||
|  | ||||
| const ( | ||||
| 	// TokenTypeBearer represents a token type specified in RFC 6749 | ||||
| 	TokenTypeBearer TokenType = "bearer" | ||||
| 	// TokenTypeMAC represents a token type specified in RFC 6749 | ||||
| 	TokenTypeMAC = "mac" | ||||
| ) | ||||
|  | ||||
| // AccessTokenResponse represents a successful access token response | ||||
| // https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2 | ||||
| type AccessTokenResponse struct { | ||||
| 	AccessToken  string    `json:"access_token"` | ||||
| 	TokenType    TokenType `json:"token_type"` | ||||
| 	ExpiresIn    int64     `json:"expires_in"` | ||||
| 	RefreshToken string    `json:"refresh_token"` | ||||
| 	IDToken      string    `json:"id_token,omitempty"` | ||||
| } | ||||
|  | ||||
| func NewAccessTokenResponse(ctx context.Context, grant *auth.OAuth2Grant, serverKey, clientKey JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { | ||||
| 	if setting.OAuth2.InvalidateRefreshTokens { | ||||
| 		if err := grant.IncreaseCounter(ctx); err != nil { | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidGrant, | ||||
| 				ErrorDescription: "cannot increase the grant counter", | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	// generate access token to access the API | ||||
| 	expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime) | ||||
| 	accessToken := &Token{ | ||||
| 		GrantID: grant.ID, | ||||
| 		Kind:    KindAccessToken, | ||||
| 		RegisteredClaims: jwt.RegisteredClaims{ | ||||
| 			ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()), | ||||
| 		}, | ||||
| 	} | ||||
| 	signedAccessToken, err := accessToken.SignToken(serverKey) | ||||
| 	if err != nil { | ||||
| 		return nil, &AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "cannot sign token", | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// generate refresh token to request an access token after it expired later | ||||
| 	refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime() | ||||
| 	refreshToken := &Token{ | ||||
| 		GrantID: grant.ID, | ||||
| 		Counter: grant.Counter, | ||||
| 		Kind:    KindRefreshToken, | ||||
| 		RegisteredClaims: jwt.RegisteredClaims{ | ||||
| 			ExpiresAt: jwt.NewNumericDate(refreshExpirationDate), | ||||
| 		}, | ||||
| 	} | ||||
| 	signedRefreshToken, err := refreshToken.SignToken(serverKey) | ||||
| 	if err != nil { | ||||
| 		return nil, &AccessTokenError{ | ||||
| 			ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 			ErrorDescription: "cannot sign token", | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// generate OpenID Connect id_token | ||||
| 	signedIDToken := "" | ||||
| 	if grant.ScopeContains("openid") { | ||||
| 		app, err := auth.GetOAuth2ApplicationByID(ctx, grant.ApplicationID) | ||||
| 		if err != nil { | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "cannot find application", | ||||
| 			} | ||||
| 		} | ||||
| 		user, err := user_model.GetUserByID(ctx, grant.UserID) | ||||
| 		if err != nil { | ||||
| 			if user_model.IsErrUserNotExist(err) { | ||||
| 				return nil, &AccessTokenError{ | ||||
| 					ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "cannot find user", | ||||
| 				} | ||||
| 			} | ||||
| 			log.Error("Error loading user: %v", err) | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "server error", | ||||
| 			} | ||||
| 		} | ||||
|  | ||||
| 		idToken := &OIDCToken{ | ||||
| 			RegisteredClaims: jwt.RegisteredClaims{ | ||||
| 				ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()), | ||||
| 				Issuer:    setting.AppURL, | ||||
| 				Audience:  []string{app.ClientID}, | ||||
| 				Subject:   fmt.Sprint(grant.UserID), | ||||
| 			}, | ||||
| 			Nonce: grant.Nonce, | ||||
| 		} | ||||
| 		if grant.ScopeContains("profile") { | ||||
| 			idToken.Name = user.GetDisplayName() | ||||
| 			idToken.PreferredUsername = user.Name | ||||
| 			idToken.Profile = user.HTMLURL() | ||||
| 			idToken.Picture = user.AvatarLink(ctx) | ||||
| 			idToken.Website = user.Website | ||||
| 			idToken.Locale = user.Language | ||||
| 			idToken.UpdatedAt = user.UpdatedUnix | ||||
| 		} | ||||
| 		if grant.ScopeContains("email") { | ||||
| 			idToken.Email = user.Email | ||||
| 			idToken.EmailVerified = user.IsActive | ||||
| 		} | ||||
| 		if grant.ScopeContains("groups") { | ||||
| 			groups, err := GetOAuthGroupsForUser(ctx, user) | ||||
| 			if err != nil { | ||||
| 				log.Error("Error getting groups: %v", err) | ||||
| 				return nil, &AccessTokenError{ | ||||
| 					ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 					ErrorDescription: "server error", | ||||
| 				} | ||||
| 			} | ||||
| 			idToken.Groups = groups | ||||
| 		} | ||||
|  | ||||
| 		signedIDToken, err = idToken.SignToken(clientKey) | ||||
| 		if err != nil { | ||||
| 			return nil, &AccessTokenError{ | ||||
| 				ErrorCode:        AccessTokenErrorCodeInvalidRequest, | ||||
| 				ErrorDescription: "cannot sign token", | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	return &AccessTokenResponse{ | ||||
| 		AccessToken:  signedAccessToken, | ||||
| 		TokenType:    TokenTypeBearer, | ||||
| 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime, | ||||
| 		RefreshToken: signedRefreshToken, | ||||
| 		IDToken:      signedIDToken, | ||||
| 	}, nil | ||||
| } | ||||
|  | ||||
| // returns a list of "org" and "org:team" strings, | ||||
| // that the given user is a part of. | ||||
| func GetOAuthGroupsForUser(ctx context.Context, user *user_model.User) ([]string, error) { | ||||
| 	orgs, err := org_model.GetUserOrgsList(ctx, user) | ||||
| 	if err != nil { | ||||
| 		return nil, fmt.Errorf("GetUserOrgList: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	var groups []string | ||||
| 	for _, org := range orgs { | ||||
| 		groups = append(groups, org.Name) | ||||
| 		teams, err := org.LoadTeams(ctx) | ||||
| 		if err != nil { | ||||
| 			return nil, fmt.Errorf("LoadTeams: %w", err) | ||||
| 		} | ||||
| 		for _, team := range teams { | ||||
| 			if team.IsMember(ctx, user.ID) { | ||||
| 				groups = append(groups, org.Name+":"+team.LowerName) | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 	return groups, nil | ||||
| } | ||||
							
								
								
									
										19
									
								
								services/oauth2_provider/init.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								services/oauth2_provider/init.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| // Copyright 2024 The Gitea Authors. All rights reserved. | ||||
| // SPDX-License-Identifier: MIT | ||||
|  | ||||
| package oauth2_provider //nolint | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
|  | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| ) | ||||
|  | ||||
| // Init initializes the oauth source | ||||
| func Init(ctx context.Context) error { | ||||
| 	if !setting.OAuth2.Enabled { | ||||
| 		return nil | ||||
| 	} | ||||
|  | ||||
| 	return InitSigningKey() | ||||
| } | ||||
| @@ -1,7 +1,7 @@ | ||||
| // Copyright 2021 The Gitea Authors. All rights reserved. | ||||
| // SPDX-License-Identifier: MIT | ||||
| 
 | ||||
| package oauth2 | ||||
| package oauth2_provider //nolint | ||||
| 
 | ||||
| import ( | ||||
| 	"crypto/ecdsa" | ||||
| @@ -1,7 +1,7 @@ | ||||
| // Copyright 2021 The Gitea Authors. All rights reserved. | ||||
| // SPDX-License-Identifier: MIT | ||||
| 
 | ||||
| package oauth2 | ||||
| package oauth2_provider //nolint | ||||
| 
 | ||||
| import ( | ||||
| 	"fmt" | ||||
| @@ -12,29 +12,22 @@ import ( | ||||
| 	"github.com/golang-jwt/jwt/v5" | ||||
| ) | ||||
| 
 | ||||
| // ___________     __ | ||||
| // \__    ___/___ |  | __ ____   ____ | ||||
| //   |    | /  _ \|  |/ // __ \ /    \ | ||||
| //   |    |(  <_> )    <\  ___/|   |  \ | ||||
| //   |____| \____/|__|_ \\___  >___|  / | ||||
| //                     \/    \/     \/ | ||||
| 
 | ||||
| // Token represents an Oauth grant | ||||
| 
 | ||||
| // TokenType represents the type of token for an oauth application | ||||
| type TokenType int | ||||
| // TokenKind represents the type of token for an oauth application | ||||
| type TokenKind int | ||||
| 
 | ||||
| const ( | ||||
| 	// TypeAccessToken is a token with short lifetime to access the api | ||||
| 	TypeAccessToken TokenType = 0 | ||||
| 	// TypeRefreshToken is token with long lifetime to refresh access tokens obtained by the client | ||||
| 	TypeRefreshToken = iota | ||||
| 	// KindAccessToken is a token with short lifetime to access the api | ||||
| 	KindAccessToken TokenKind = 0 | ||||
| 	// KindRefreshToken is token with long lifetime to refresh access tokens obtained by the client | ||||
| 	KindRefreshToken = iota | ||||
| ) | ||||
| 
 | ||||
| // Token represents a JWT token used to authenticate a client | ||||
| type Token struct { | ||||
| 	GrantID int64     `json:"gnt"` | ||||
| 	Type    TokenType `json:"tt"` | ||||
| 	Kind    TokenKind `json:"tt"` | ||||
| 	Counter int64     `json:"cnt,omitempty"` | ||||
| 	jwt.RegisteredClaims | ||||
| } | ||||
| @@ -11,7 +11,7 @@ import ( | ||||
|  | ||||
| 	"code.gitea.io/gitea/modules/json" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| 	"code.gitea.io/gitea/routers/web/auth" | ||||
| 	oauth2_provider "code.gitea.io/gitea/services/oauth2_provider" | ||||
| 	"code.gitea.io/gitea/tests" | ||||
|  | ||||
| 	"github.com/stretchr/testify/assert" | ||||
| @@ -177,7 +177,7 @@ func TestAccessTokenExchangeWithoutPKCE(t *testing.T) { | ||||
| 		"code":          "authcode", | ||||
| 	}) | ||||
| 	resp := MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError := new(auth.AccessTokenError) | ||||
| 	parsedError := new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "failed PKCE code challenge", parsedError.ErrorDescription) | ||||
| @@ -195,7 +195,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { | ||||
| 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", | ||||
| 	}) | ||||
| 	resp := MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError := new(auth.AccessTokenError) | ||||
| 	parsedError := new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "invalid_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "cannot load client with client id: '???'", parsedError.ErrorDescription) | ||||
| @@ -210,7 +210,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { | ||||
| 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", | ||||
| 	}) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "invalid client secret", parsedError.ErrorDescription) | ||||
| @@ -225,7 +225,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { | ||||
| 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", | ||||
| 	}) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "unexpected redirect URI", parsedError.ErrorDescription) | ||||
| @@ -240,7 +240,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { | ||||
| 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", | ||||
| 	}) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "client is not authorized", parsedError.ErrorDescription) | ||||
| @@ -255,7 +255,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { | ||||
| 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", | ||||
| 	}) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unsupported_grant_type", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "Only refresh_token or authorization_code grant type is supported", parsedError.ErrorDescription) | ||||
| @@ -292,7 +292,7 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { | ||||
| 	}) | ||||
| 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OmJsYWJsYQ==") | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError := new(auth.AccessTokenError) | ||||
| 	parsedError := new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "invalid client secret", parsedError.ErrorDescription) | ||||
| @@ -305,7 +305,7 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { | ||||
| 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", | ||||
| 	}) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "invalid_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "cannot load client with client id: ''", parsedError.ErrorDescription) | ||||
| @@ -319,7 +319,7 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { | ||||
| 	}) | ||||
| 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9") | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "invalid_request", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "client_id in request body inconsistent with Authorization header", parsedError.ErrorDescription) | ||||
| @@ -333,7 +333,7 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { | ||||
| 	}) | ||||
| 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9") | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "invalid_request", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "client_secret in request body inconsistent with Authorization header", parsedError.ErrorDescription) | ||||
| @@ -371,7 +371,7 @@ func TestRefreshTokenInvalidation(t *testing.T) { | ||||
| 		"refresh_token": parsed.RefreshToken, | ||||
| 	}) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError := new(auth.AccessTokenError) | ||||
| 	parsedError := new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "invalid_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "invalid empty client secret", parsedError.ErrorDescription) | ||||
| @@ -384,7 +384,7 @@ func TestRefreshTokenInvalidation(t *testing.T) { | ||||
| 		"refresh_token": "UNEXPECTED", | ||||
| 	}) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription) | ||||
| @@ -414,7 +414,7 @@ func TestRefreshTokenInvalidation(t *testing.T) { | ||||
| 	// repeat request should fail | ||||
| 	req.Body = io.NopCloser(bytes.NewReader(bs)) | ||||
| 	resp = MakeRequest(t, req, http.StatusBadRequest) | ||||
| 	parsedError = new(auth.AccessTokenError) | ||||
| 	parsedError = new(oauth2_provider.AccessTokenError) | ||||
| 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) | ||||
| 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) | ||||
| 	assert.Equal(t, "token was already used", parsedError.ErrorDescription) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user