-
-
Notifications
You must be signed in to change notification settings - Fork 398
/
Copy pathauth.go
330 lines (277 loc) · 8.82 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
//
// This file is part of arduino-cli.
//
// Copyright 2018 ARDUINO SA (http://www.arduino.cc/)
//
// This software is released under the GNU General Public License version 3,
// which covers the main part of arduino-cli.
// The terms of this license can be found at:
// https://www.gnu.org/licenses/gpl-3.0.en.html
//
// You can be released from the requirements of the above licenses by purchasing
// a commercial license. Buying such a license is mandatory if you want to modify or
// otherwise use the software for commercial activities involving the Arduino
// software without disclosing the source code of your own applications. To purchase
// a commercial license, send an email to [email protected].
//
// Package auth uses the `oauth2 authorization_code` flow to authenticate with Arduino
//
// If you have the username and password of a user, you can just instantiate a client with sane defaults:
//
// client := auth.New()
//
// and then call the Token method to obtain a Token object with an AccessToken and a RefreshToken
//
// token, err := client.Token(username, password)
//
// If instead you already have a token but want to refresh it, just call
//
// token, err := client.refresh(refreshToken)
package auth
import (
"encoding/json"
"io/ioutil"
"math/rand"
"net/http"
"net/url"
"regexp"
"strings"
"time"
"github.com/pkg/errors"
)
// Config contains the variables you may want to change
type Config struct {
// CodeURL is the endpoint to redirect to obtain a code
CodeURL string
// TokenURL is the endpoint where you can request an access code
TokenURL string
// ClientID is the client id you are using
ClientID string
// RedirectURI is the redirectURI where the oauth process will redirect.
// It's only required since the oauth system checks for it, but we intercept the redirect before hitting it
RedirectURI string
// Scopes is a space-separated list of scopes to require
Scopes string
}
// New returns an auth configuration with sane defaults
func New() *Config {
return &Config{
CodeURL: "https://hydra.arduino.cc/oauth2/auth",
TokenURL: "https://hydra.arduino.cc/oauth2/token",
ClientID: "cli",
RedirectURI: "http://localhost:5000",
Scopes: "profile:core offline",
}
}
// Token is the response of the two authentication functions
type Token struct {
// Access is the token to use to authenticate requests
Access string `json:"access_token"`
// Refresh is the token to use to request another access token. It's only returned if one of the scopes is "offline"
Refresh string `json:"refresh_token"`
// TTL is the number of seconds that the tokens will last
TTL int `json:"expires_in"`
// Scopes is a space-separated list of scopes associated to the access token
Scopes string `json:"scope"`
// Type is the type of token
Type string `json:"token_type"`
}
// Token authenticates with the given username and password and returns a Token object
func (c *Config) Token(user, pass string) (*Token, error) {
// We want to make sure we send the proper cookies each step, so we don't follow redirects
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
// Request authentication page
url, cookies, err := c.requestAuth(client)
if err != nil {
return nil, errors.Wrap(err, "get the auth page")
}
// Authenticate
code, err := c.authenticate(client, cookies, url, user, pass)
if err != nil {
return nil, errors.Wrap(err, "authenticate")
}
// Request token
token, err := c.requestToken(client, code)
if err != nil {
return nil, errors.Wrap(err, "request token")
}
return token, nil
}
// Refresh exchanges a token for a new one
func (c *Config) Refresh(token string) (*Token, error) {
client := http.Client{}
query := url.Values{}
query.Add("refresh_token", token)
query.Add("client_id", c.ClientID)
query.Add("redirect_uri", c.RedirectURI)
query.Add("grant_type", "refresh_token")
req, err := http.NewRequest("POST", c.TokenURL, strings.NewReader(query.Encode()))
if err != nil {
return nil, err
}
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
req.SetBasicAuth("cli", "")
res, err := client.Do(req)
if err != nil {
return nil, err
}
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
data := Token{}
err = json.Unmarshal(body, &data)
if err != nil {
return nil, err
}
return &data, nil
}
// cookies keeps track of the cookies for each request
type cookies map[string][]*http.Cookie
// requestAuth calls hydra and follows the redirects until it reaches the authentication page.
// It saves the cookie it finds so it can apply them to subsequent requests
func (c *Config) requestAuth(client *http.Client) (string, cookies, error) {
uri, err := url.Parse(c.CodeURL)
if err != nil {
return "", nil, err
}
query := uri.Query()
query.Add("client_id", c.ClientID)
query.Add("state", randomString(8))
query.Add("scope", c.Scopes)
query.Add("response_type", "code")
query.Add("redirect_uri", c.RedirectURI)
uri.RawQuery = query.Encode()
// Navigate to hydra request page
res, err := client.Get(uri.String())
if err != nil {
return "", nil, err
}
cookies := cookies{}
cookies["hydra"] = res.Cookies()
// Navigate to auth request page
res, err = client.Get(res.Header.Get("Location"))
if err != nil {
return "", nil, err
}
cookies["auth"] = res.Cookies()
return res.Request.URL.String(), cookies, err
}
var errorRE = regexp.MustCompile(`<div class="error">(?P<error>.*)</div>`)
// authenticate uses the user and pass to pass the authentication challenge and returns the authorization_code
func (c *Config) authenticate(client *http.Client, cookies cookies, uri, user, pass string) (string, error) {
// Find csrf
csrf := ""
for _, cookie := range cookies["auth"] {
if cookie.Name == "_csrf" && cookie.Value != "" {
csrf = cookie.Value
break
}
}
query := url.Values{}
query.Add("username", user)
query.Add("password", pass)
query.Add("csrf", csrf)
query.Add("g-recaptcha-response", "")
req, err := http.NewRequest("POST", uri, strings.NewReader(query.Encode()))
if err != nil {
return "", err
}
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
// Apply cookies
for _, cookie := range cookies["auth"] {
req.AddCookie(cookie)
}
res, err := client.Do(req)
if err != nil {
return "", err
}
if res.StatusCode != 302 {
body, _ := ioutil.ReadAll(res.Body)
errs := errorRE.FindStringSubmatch(string(body))
if len(errs) < 2 {
return "", errors.New("status = " + res.Status + ", response = " + string(body))
}
return "", errors.New(errs[1])
}
// Follow redirect to hydra
req, err = http.NewRequest("GET", res.Header.Get("Location"), nil)
if err != nil {
return "", err
}
for _, cookie := range cookies["hydra"] {
req.AddCookie(cookie)
}
res, err = client.Do(req)
if err != nil {
return "", err
}
redir, err := url.Parse(res.Header.Get("Location"))
if err != nil {
return "", err
}
return redir.Query().Get("code"), nil
}
func (c *Config) requestToken(client *http.Client, code string) (*Token, error) {
query := url.Values{}
query.Add("code", code)
query.Add("client_id", c.ClientID)
query.Add("redirect_uri", c.RedirectURI)
query.Add("grant_type", "authorization_code")
req, err := http.NewRequest("POST", c.TokenURL, strings.NewReader(query.Encode()))
if err != nil {
return nil, err
}
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
req.SetBasicAuth(c.ClientID, "")
res, err := client.Do(req)
if err != nil {
return nil, err
}
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
if res.StatusCode != 200 {
data := struct {
Error string `json:"error_description"`
}{}
json.Unmarshal(body, &data)
return nil, errors.New(data.Error)
}
data := Token{}
err = json.Unmarshal(body, &data)
if err != nil {
return nil, err
}
return &data, nil
}
// randomString generates a string of random characters of fixed length.
// stolen shamelessly from https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-golang
const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
const (
letterIdxBits = 6 // 6 bits to represent a letter index
letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
letterIdxMax = 63 / letterIdxBits // # of letter indices fitting in 63 bits
)
var src = rand.NewSource(time.Now().UnixNano())
func randomString(n int) string {
b := make([]byte, n)
// A src.Int63() generates 63 random bits, enough for letterIdxMax characters!
for i, cache, remain := n-1, src.Int63(), letterIdxMax; i >= 0; {
if remain == 0 {
cache, remain = src.Int63(), letterIdxMax
}
if idx := int(cache & letterIdxMask); idx < len(letterBytes) {
b[i] = letterBytes[idx]
i--
}
cache >>= letterIdxBits
remain--
}
return string(b)
}