fix oauth2 gitlab link

Gandi · Jan 6, 2016 · 9bb706d · 9bb706d
1 parent 4599eb8
commit 9bb706d
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 60 deletions.
diff --git a/app/views/_head.erb b/app/views/_head.erb
@@ -14,7 +14,7 @@
 <div class="auth">
 <a href="/logout" id="logout">http Logout</a>
 </div>
-<% when 'oauth2' %>
+<% when 'gitlab' %>
 <div class="auth">
 <a href="/logout" id="logout">gitlab Logout</a>
 </div>

diff --git a/app/web.rb b/app/web.rb
@@ -29,74 +29,55 @@ class Web < Common
       BetterErrors.application_root = File.expand_path('..', __FILE__)
     end
 
-    helpers do
-
-      def oauth_client
-        @_client ||= OAuth2::Client.new(
-          settings.configdata['oauth2_auth']['application_id'], 
-          settings.configdata['oauth2_auth']['secret'], 
-          :site => settings.configdata['oauth2_auth']['host']
-          )
-      end
+    case settings.configdata['auth_method']
+    when 'http'
 
-      def get_response(url)
-        access_token = OAuth2::AccessToken.new(oauth_client, session['access_token'])
-        begin
-          JSON.parse(access_token.get(url).body)
-        rescue Exception => e
-          { 'error' => JSON.parse(e.message.split(/\n/)[1])['message'] }
-        end
+      use Rack::Auth::Basic, "Puppet Private Access" do |username, password|
+        username == settings.configdata['http_auth']['username'] && 
+        password == settings.configdata['http_auth']['password']
       end
 
-      def redirect_uri
-        uri = URI.parse(request.url)
-        uri.path = '/logged-in'
-        uri.query = nil
-        uri.to_s
+      get '/logout' do
+        erb :logout, layout: :_layout
       end
 
-      def check_authorization
-        if settings.configdata['auth_method'] == 'oauth2' &&
-            settings.configdata['oauth2_auth']['resource_required']
-          resp = get_response(settings.configdata['oauth2_auth']['resource_required'])
-          logger.info resp
-          if resp['error'] ||
-             (resp[settings.configdata['oauth2_auth']['required_response_key']] &&
-             resp[settings.configdata['oauth2_auth']['required_response_key']] != 
-             resp[settings.configdata['oauth2_auth']['required_response_value']])
-             logger.info resp['error']
-            flash[:fatal] = resp['error']
-            redirect '/'
-          end
+      helpers do
+        def check_authorization
+          true
         end
       end
 
-    end
+    when 'gitlab'
 
-    case settings.configdata['auth_method']
-    when 'http'
+      set :oauth, Hieraviz::AuthGitlab.new(settings.configdata['gitlab_auth'])
 
-      use Rack::Auth::Basic, "Puppet Private Access" do |username, password|
-        username == settings.configdata['http_auth']['username'] && 
-        password == settings.configdata['http_auth']['password']
+      def check_authorization
+        if !session['access_token']
+          redirect settings.oauth.login_url(request)
+        else
+          if !settings.oauth.authorized?(session['access_token'])
+            flash[:fatal] = "Sorry you are not authorized to read puppet repo on gitlab."
+            redirect '/'
+          end
+        end
       end
 
-    when 'gitlab'
-
-      set :oauth, Hieraviz::AuthGitlab.new(settings.configdata['gitlab_auth'], session)
-
       get '/login' do
-        redirect settings.oauth.login_url
+        redirect settings.oauth.login_url(request)
       end
 
       get '/logged-in' do
-        authcode = oauth_client.auth_code
-        access_token = authcode.get_token(params[:code], :redirect_uri => redirect_uri)
+        access_token = settings.oauth.access_token(request, params[:code])
         session[:access_token] = access_token.token
         flash['info'] = "Successfully authenticated with the server"
         redirect '/'
       end
 
+      get '/logout' do
+        session.clear
+        redirect '/'
+      end
+
     else
     end
 
@@ -127,12 +108,7 @@ def check_authorization
       erb :resources
     end
 
-    get '/logout' do
-      erb :logout, layout: :_layout
-    end
-
     not_found do
-      session[:access_token] =
       erb :not_found, layout: :_layout
     end
 

diff --git a/lib/hieraviz/auth_gitlab.rb b/lib/hieraviz/auth_gitlab.rb
@@ -3,18 +3,21 @@
 module Hieraviz
   class AuthGitlab
 
-    def initialize(settings, session)
+    def initialize(settings)
       @@client ||= OAuth2::Client.new(
         settings['application_id'], 
         settings['secret'], 
         :site => settings['host']
         )
-      @session = session
+      @settings = settings
     end
 
+    def access_token(request, code)
+      @@client.auth_code.get_token(code, :redirect_uri => redirect_uri(request))
+    end
 
-    def get_response(url)
-      access_token = OAuth2::AccessToken.new(@@client, @session['access_token'])
+    def get_response(url, token)
+      access_token = OAuth2::AccessToken.new(@@client, token)
       begin
         JSON.parse(access_token.get(url).body)
       rescue Exception => e
@@ -23,15 +26,29 @@ def get_response(url)
     end
 
 
-    def redirect_uri
+    def redirect_uri(request)
       uri = URI.parse(request.url)
       uri.path = '/logged-in'
       uri.query = nil
       uri.to_s
     end
 
-    def login_url
-      @@client.auth_code.authorize_url(:redirect_uri => redirect_uri)
+    def login_url(request)
+      @@client.auth_code.authorize_url(:redirect_uri => redirect_uri(request))
+    end
+
+    def authorized?(token)
+      if @settings['resource_required']
+        resp = get_response(@settings['resource_required'], token)
+        if resp['error'] ||
+           (resp[@settings['required_response_key']] &&
+           resp[@settings['required_response_key']] != resp[@settings['required_response_value']])
+          false
+        else
+          true
+        end
+      end
+      true
     end
 
   end