-
-
Notifications
You must be signed in to change notification settings - Fork 24
/
auth.go
431 lines (355 loc) · 11.1 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
//
// This file is part of arduino-connector
//
// Copyright (C) 2017-2018 Arduino AG (http://www.arduino.cc/)
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Package auth uses the `oauth2 authorization_code` flow to authenticate with Arduino
//
// If you have the username and password of a user, you can just instantiate a client with sane defaults:
//
// client := auth.New()
//
// and then call the Token method to obtain a Token object with an AccessToken and a RefreshToken
//
// token, err := client.Token(username, password)
//
// If instead you already have a token but want to refresh it, just call
//
// token, err := client.refresh(refreshToken)
package auth
import (
"encoding/json"
"io/ioutil"
"math/rand"
"net/http"
"net/url"
"regexp"
"strings"
"time"
"github.com/pkg/errors"
)
type DeviceCode struct {
DeviceCode string `json:"device_code"`
UserCode string `json:"user_code"`
VerificationURI string `json:"verification_uri"`
ExpiresIn int `json:"expires_in"`
Interval int `json:"interval"`
VerificationURIComplete string `json:"verification_uri_complete"`
}
// HTTPClient interface
type HTTPClient interface {
Do(req *http.Request) (*http.Response, error)
Get(url string) (resp *http.Response, err error)
}
var client HTTPClient
// Init initialize correctly HTTP client
func Init() {
client = &http.Client{}
}
// StartDeviceAuth request with POST auth using clientID
func StartDeviceAuth(authURL, clientID string) (data DeviceCode, err error) {
url := authURL + "/oauth/device/code"
payload := strings.NewReader("client_id=" + clientID + "&audience=https://api.arduino.cc")
req, err := http.NewRequest("POST", url, payload)
if err != nil {
return data, err
}
req.Header.Add("content-type", "application/x-www-form-urlencoded")
res, err := client.Do(req)
if err != nil {
return data, err
}
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return data, err
}
err = json.Unmarshal(body, &data)
if err != nil {
return data, err
}
return data, nil
}
func CheckDeviceAuth(authURL, clientID, deviceCode string) (token string, err error) {
url := authURL + "/oauth/token"
payload := strings.NewReader("grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code&device_code=" + deviceCode + "&client_id=" + clientID)
req, err := http.NewRequest("POST", url, payload)
if err != nil {
return token, err
}
req.Header.Add("content-type", "application/x-www-form-urlencoded")
res, err := client.Do(req)
if err != nil {
return token, err
}
defer res.Body.Close()
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return token, err
}
if res.StatusCode != 200 {
return token, errors.New(string(body))
}
data := struct {
AccessToken string `json:"access_token"`
ExpiresIn int `json:"expires_in"`
TokenType string `json:"token_type"`
}{}
err = json.Unmarshal(body, &data)
if err != nil {
return token, err
}
return data.AccessToken, nil
}
// Config contains the variables you may want to change
type Config struct {
// CodeURL is the endpoint to redirect to obtain a code
CodeURL string
// TokenURL is the endpoint where you can request an access code
TokenURL string
// ClientID is the client id you are using
ClientID string
// RedirectURI is the redirectURI where the oauth process will redirect. It's only required since the oauth system checks for it, but we intercept the redirect before hitting it
RedirectURI string
// Scopes is a space-separated list of scopes to require
Scopes string
}
// New returns an auth configuration with sane defaults
func New() *Config {
return &Config{
CodeURL: "https://hydra.arduino.cc/oauth2/auth",
TokenURL: "https://hydra.arduino.cc/oauth2/token",
ClientID: "cli",
RedirectURI: "http://localhost:5000",
Scopes: "profile:core offline",
}
}
// Token is the response of the two authentication functions
type Token struct {
// Access is the token to use to authenticate requests
Access string `json:"access_token"`
// Refresh is the token to use to request another access token. It's only returned if one of the scopes is "offline"
Refresh string `json:"refresh_token"`
// TTL is the number of seconds that the tokens will last
TTL int `json:"expires_in"`
// Scopes is a space-separated list of scopes associated to the access token
Scopes string `json:"scope"`
// Type is the type of token
Type string `json:"token_type"`
}
// Token authenticates with the given username and password and returns a Token object
func (c *Config) Token(user, pass string) (*Token, error) {
// We want to make sure we send the proper cookies each step, so we don't follow redirects
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
// Request authentication page
url, cookies, err := c.requestAuth(client)
if err != nil {
return nil, errors.Wrap(err, "get the auth page")
}
// Authenticate
code, err := c.authenticate(client, cookies, url, user, pass)
if err != nil {
return nil, errors.Wrap(err, "authenticate")
}
// Request token
token, err := c.requestToken(client, code)
if err != nil {
return nil, errors.Wrap(err, "request token")
}
return token, nil
}
// Refresh exchanges a token for a new one
func (c *Config) Refresh(token string) (*Token, error) {
client := http.Client{}
query := url.Values{}
query.Add("refresh_token", token)
query.Add("client_id", c.ClientID)
query.Add("redirect_uri", c.RedirectURI)
query.Add("grant_type", "refresh_token")
req, err := http.NewRequest("POST", c.TokenURL, strings.NewReader(query.Encode()))
if err != nil {
return nil, err
}
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
req.SetBasicAuth("cli", "")
res, err := client.Do(req)
if err != nil {
return nil, err
}
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
data := Token{}
err = json.Unmarshal(body, &data)
if err != nil {
return nil, err
}
return &data, nil
}
// cookies keeps track of the cookies for each request
type cookies map[string][]*http.Cookie
// requestAuth calls hydra and follows the redirects until it reaches the authentication page. It saves the cookie it finds so it can apply them to subsequent requests
func (c *Config) requestAuth(client HTTPClient) (string, cookies, error) {
uri, err := url.Parse(c.CodeURL)
if err != nil {
return "", nil, err
}
query := uri.Query()
query.Add("client_id", c.ClientID)
query.Add("state", randomString(8))
query.Add("scope", c.Scopes)
query.Add("response_type", "code")
query.Add("redirect_uri", c.RedirectURI)
uri.RawQuery = query.Encode()
// Navigate to hydra request page
res, err := client.Get(uri.String())
if err != nil {
return "", nil, err
}
cs := cookies{}
cs["hydra"] = res.Cookies()
// Navigate to auth request page
res, err = client.Get(res.Header.Get("Location"))
if err != nil {
return "", nil, err
}
cs["auth"] = res.Cookies()
return res.Request.URL.String(), cs, err
}
var errorRE = regexp.MustCompile(`<div class="error">(?P<error>.*)</div>`)
// authenticate uses the user and pass to pass the authentication challenge and returns the authorization_code
func (c *Config) authenticate(client HTTPClient, cookies cookies, uri, user, pass string) (string, error) {
// Find csrf
csrf := ""
for _, cookie := range cookies["auth"] {
if cookie.Name == "_csrf" && cookie.Value != "" {
csrf = cookie.Value
break
}
}
query := url.Values{}
query.Add("username", user)
query.Add("password", pass)
query.Add("csrf", csrf)
query.Add("g-recaptcha-response", "")
req, err := http.NewRequest("POST", uri, strings.NewReader(query.Encode()))
if err != nil {
return "", err
}
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
// Apply cookies
for _, cookie := range cookies["auth"] {
req.AddCookie(cookie)
}
res, err := client.Do(req)
if err != nil {
return "", err
}
if res.StatusCode != 302 {
body, errRead := ioutil.ReadAll(res.Body)
if errRead != nil {
return "", errRead
}
errs := errorRE.FindStringSubmatch(string(body))
if len(errs) < 2 {
return "", errors.New("status = " + res.Status + ", response = " + string(body))
}
return "", errors.New(errs[1])
}
// Follow redirect to hydra
req, err = http.NewRequest("GET", res.Header.Get("Location"), nil)
if err != nil {
return "", err
}
for _, cookie := range cookies["hydra"] {
req.AddCookie(cookie)
}
res, err = client.Do(req)
if err != nil {
return "", err
}
redir, err := url.Parse(res.Header.Get("Location"))
if err != nil {
return "", err
}
return redir.Query().Get("code"), nil
}
func (c *Config) requestToken(client HTTPClient, code string) (*Token, error) {
query := url.Values{}
query.Add("code", code)
query.Add("client_id", c.ClientID)
query.Add("redirect_uri", c.RedirectURI)
query.Add("grant_type", "authorization_code")
req, err := http.NewRequest("POST", c.TokenURL, strings.NewReader(query.Encode()))
if err != nil {
return nil, err
}
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
req.SetBasicAuth(c.ClientID, "")
res, err := client.Do(req)
if err != nil {
return nil, err
}
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
if res.StatusCode != 200 {
data := struct {
Error string `json:"error_description"`
}{}
err = json.Unmarshal(body, &data)
if err != nil {
return nil, err
}
return nil, errors.New(data.Error)
}
data := Token{}
err = json.Unmarshal(body, &data)
if err != nil {
return nil, err
}
return &data, nil
}
// randomString generates a string of random characters of fixed length.
// stolen shamelessly from https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-golang
const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
const (
letterIdxBits = 6 // 6 bits to represent a letter index
letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
letterIdxMax = 63 / letterIdxBits // # of letter indices fitting in 63 bits
)
var src = rand.NewSource(time.Now().UnixNano())
func randomString(n int) string {
b := make([]byte, n)
// A src.Int63() generates 63 random bits, enough for letterIdxMax characters!
for i, cache, remain := n-1, src.Int63(), letterIdxMax; i >= 0; {
if remain == 0 {
cache, remain = src.Int63(), letterIdxMax
}
if idx := int(cache & letterIdxMask); idx < len(letterBytes) {
b[i] = letterBytes[idx]
i--
}
cache >>= letterIdxBits
remain--
}
return string(b)
}