No OneTemporary
Actions

Size

17 KB

Subscribers

None

View Options

	diff --git a/oauth.go b/oauth.go
	index f9d9e99..4758e0f 100644
	--- a/oauth.go
	+++ b/oauth.go
	@@ -1,244 +1,244 @@
	package writefreely

	import (
	"context"
	"encoding/json"
	"fmt"
	"github.com/gorilla/mux"
	"github.com/gorilla/sessions"
	"github.com/writeas/impart"
	"github.com/writeas/nerds/store"
	"github.com/writeas/web-core/auth"
	"github.com/writeas/web-core/log"
	"github.com/writeas/writefreely/config"
	"io"
	"io/ioutil"
	"net/http"
	"time"
	)

	// TokenResponse contains data returned when a token is created either
	// through a code exchange or using a refresh token.
	type TokenResponse struct {
	AccessToken string `json:"access_token"`
	ExpiresIn int `json:"expires_in"`
	RefreshToken string `json:"refresh_token"`
	TokenType string `json:"token_type"`
	Error string `json:"error"`
	}

	// InspectResponse contains data returned when an access token is inspected.
	type InspectResponse struct {
	ClientID string `json:"client_id"`
	UserID string `json:"user_id"`
	ExpiresAt time.Time `json:"expires_at"`
	Username string `json:"username"`
	DisplayName string `json:"-"`
	Email string `json:"email"`
	Error string `json:"error"`
	}

	// tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token
	// endpoint. One megabyte is plenty.
	const tokenRequestMaxLen = 1000000

	// infoRequestMaxLen is the most bytes that we'll read from the
	// /oauth/inspect endpoint.
	const infoRequestMaxLen = 1000000

	// OAuthDatastoreProvider provides a minimal interface of data store, config,
	// and session store for use with the oauth handlers.
	type OAuthDatastoreProvider interface {
	DB() OAuthDatastore
	Config() *config.Config
	SessionStore() sessions.Store
	}

	// OAuthDatastore provides a minimal interface of data store methods used in
	// oauth functionality.
	type OAuthDatastore interface {
	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)
	RecordRemoteUserID(context.Context, int64, string, string, string, string) error
	ValidateOAuthState(context.Context, string) (string, string, error)
	GenerateOAuthState(context.Context, string, string) (string, error)

	CreateUser(config.Config, User, string) error
	- GetUserForAuthByID(int64) (*User, error)
	+ GetUserByID(int64) (*User, error)
	}

	type HttpClient interface {
	Do(req http.Request) (http.Response, error)
	}

	type oauthClient interface {
	GetProvider() string
	GetClientID() string
	buildLoginURL(state string) (string, error)
	exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error)
	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)
	}

	type oauthHandler struct {
	Config *config.Config
	DB OAuthDatastore
	Store sessions.Store
	EmailKey []byte
	oauthClient oauthClient
	}

	func (h oauthHandler) viewOauthInit(app App, w http.ResponseWriter, r http.Request) error {
	ctx := r.Context()
	state, err := h.DB.GenerateOAuthState(ctx, h.oauthClient.GetProvider(), h.oauthClient.GetClientID())
	if err != nil {
	return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
	}
	location, err := h.oauthClient.buildLoginURL(state)
	if err != nil {
	return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
	}
	return impart.HTTPError{http.StatusTemporaryRedirect, location}
	}

	func configureSlackOauth(parentHandler Handler, r mux.Router, app *App) {
	if app.Config().SlackOauth.ClientID != "" {
	oauthClient := slackOauthClient{
	ClientID: app.Config().SlackOauth.ClientID,
	ClientSecret: app.Config().SlackOauth.ClientSecret,
	TeamID: app.Config().SlackOauth.TeamID,
	CallbackLocation: app.Config().App.Host + "/oauth/callback",
	HttpClient: config.DefaultHTTPClient(),
	}
	configureOauthRoutes(parentHandler, r, app, oauthClient)
	}
	}

	func configureWriteAsOauth(parentHandler Handler, r mux.Router, app *App) {
	if app.Config().WriteAsOauth.ClientID != "" {
	oauthClient := writeAsOauthClient{
	ClientID: app.Config().WriteAsOauth.ClientID,
	ClientSecret: app.Config().WriteAsOauth.ClientSecret,
	ExchangeLocation: config.OrDefaultString(app.Config().WriteAsOauth.TokenLocation, writeAsExchangeLocation),
	InspectLocation: config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),
	AuthLocation: config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),
	HttpClient: config.DefaultHTTPClient(),
	CallbackLocation: app.Config().App.Host + "/oauth/callback",
	}
	configureOauthRoutes(parentHandler, r, app, oauthClient)
	}
	}

	func configureOauthRoutes(parentHandler Handler, r mux.Router, app *App, oauthClient oauthClient) {
	handler := &oauthHandler{
	Config: app.Config(),
	DB: app.DB(),
	Store: app.SessionStore(),
	oauthClient: oauthClient,
	EmailKey: app.keys.EmailKey,
	}
	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
	}

	func (h oauthHandler) viewOauthCallback(app App, w http.ResponseWriter, r http.Request) error {
	ctx := r.Context()

	code := r.FormValue("code")
	state := r.FormValue("state")

	provider, clientID, err := h.DB.ValidateOAuthState(ctx, state)
	if err != nil {
	log.Error("Unable to ValidateOAuthState: %s", err)
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	tokenResponse, err := h.oauthClient.exchangeOauthCode(ctx, code)
	if err != nil {
	log.Error("Unable to exchangeOauthCode: %s", err)
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	// Now that we have the access token, let's use it real quick to make sur
	// it really really works.
	tokenInfo, err := h.oauthClient.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
	if err != nil {
	log.Error("Unable to inspectOauthAccessToken: %s", err)
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID, provider, clientID)
	if err != nil {
	log.Error("Unable to GetIDForRemoteUser: %s", err)
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	if localUserID == -1 {
	// We don't have, nor do we want, the password from the origin, so we
	//create a random string. If the user needs to set a password, they
	//can do so through the settings page or through the password reset
	//flow.
	randPass := store.Generate62RandomString(14)
	hashedPass, err := auth.HashPass([]byte(randPass))
	if err != nil {
	return impart.HTTPError{http.StatusInternalServerError, "unable to create password hash"}
	}
	newUser := &User{
	Username: tokenInfo.Username,
	HashedPass: hashedPass,
	HasPass: true,
	Email: prepareUserEmail(tokenInfo.Email, h.EmailKey),
	Created: time.Now().Truncate(time.Second).UTC(),
	}
	displayName := tokenInfo.DisplayName
	if len(displayName) == 0 {
	displayName = tokenInfo.Username
	}

	err = h.DB.CreateUser(h.Config, newUser, displayName)
	if err != nil {
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID, provider, clientID, tokenResponse.AccessToken)
	if err != nil {
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	if err := loginOrFail(h.Store, w, r, newUser); err != nil {
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}
	return nil
	}

	- user, err := h.DB.GetUserForAuthByID(localUserID)
	+ user, err := h.DB.GetUserByID(localUserID)
	if err != nil {
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}
	if err = loginOrFail(h.Store, w, r, user); err != nil {
	return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}
	return nil
	}

	func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {
	lr := io.LimitReader(body, int64(n+1))
	data, err := ioutil.ReadAll(lr)
	if err != nil {
	return err
	}
	if len(data) == n+1 {
	return fmt.Errorf("content larger than max read allowance: %d", n)
	}
	return json.Unmarshal(data, thing)
	}

	func loginOrFail(store sessions.Store, w http.ResponseWriter, r http.Request, user User) error {
	// An error may be returned, but a valid session should always be returned.
	session, _ := store.Get(r, cookieName)
	session.Values[cookieUserVal] = user.Cookie()
	if err := session.Save(r, w); err != nil {
	fmt.Println("error saving session", err)
	return err
	}
	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
	return nil
	}
	diff --git a/oauth_test.go b/oauth_test.go
	index f8ffcf5..2e293e7 100644
	--- a/oauth_test.go
	+++ b/oauth_test.go
	@@ -1,253 +1,253 @@
	package writefreely

	import (
	"context"
	"fmt"
	"github.com/gorilla/sessions"
	"github.com/stretchr/testify/assert"
	"github.com/writeas/impart"
	"github.com/writeas/nerds/store"
	"github.com/writeas/writefreely/config"
	"net/http"
	"net/http/httptest"
	"net/url"
	"strings"
	"testing"
	)

	type MockOAuthDatastoreProvider struct {
	DoDB func() OAuthDatastore
	DoConfig func() *config.Config
	DoSessionStore func() sessions.Store
	}

	type MockOAuthDatastore struct {
	DoGenerateOAuthState func(context.Context, string, string) (string, error)
	DoValidateOAuthState func(context.Context, string) (string, string, error)
	DoGetIDForRemoteUser func(context.Context, string, string, string) (int64, error)
	DoCreateUser func(config.Config, User, string) error
	DoRecordRemoteUserID func(context.Context, int64, string, string, string, string) error
	- DoGetUserForAuthByID func(int64) (*User, error)
	+ DoGetUserByID func(int64) (*User, error)
	}

	var _ OAuthDatastore = &MockOAuthDatastore{}

	type StringReadCloser struct {
	*strings.Reader
	}

	func (src *StringReadCloser) Close() error {
	return nil
	}

	type MockHTTPClient struct {
	DoDo func(req http.Request) (http.Response, error)
	}

	func (m MockHTTPClient) Do(req http.Request) (*http.Response, error) {
	if m.DoDo != nil {
	return m.DoDo(req)
	}
	return &http.Response{}, nil
	}

	func (m *MockOAuthDatastoreProvider) SessionStore() sessions.Store {
	if m.DoSessionStore != nil {
	return m.DoSessionStore()
	}
	return sessions.NewCookieStore([]byte("secret-key"))
	}

	func (m *MockOAuthDatastoreProvider) DB() OAuthDatastore {
	if m.DoDB != nil {
	return m.DoDB()
	}
	return &MockOAuthDatastore{}
	}

	func (m MockOAuthDatastoreProvider) Config() config.Config {
	if m.DoConfig != nil {
	return m.DoConfig()
	}
	cfg := config.New()
	cfg.UseSQLite(true)
	cfg.WriteAsOauth = config.WriteAsOauthCfg{
	ClientID: "development",
	ClientSecret: "development",
	AuthLocation: "https://write.as/oauth/login",
	TokenLocation: "https://write.as/oauth/token",
	InspectLocation: "https://write.as/oauth/inspect",
	}
	cfg.SlackOauth = config.SlackOauthCfg{
	ClientID: "development",
	ClientSecret: "development",
	TeamID: "development",
	}
	return cfg
	}

	func (m *MockOAuthDatastore) ValidateOAuthState(ctx context.Context, state string) (string, string, error) {
	if m.DoValidateOAuthState != nil {
	return m.DoValidateOAuthState(ctx, state)
	}
	return "", "", nil
	}

	func (m *MockOAuthDatastore) GetIDForRemoteUser(ctx context.Context, remoteUserID, provider, clientID string) (int64, error) {
	if m.DoGetIDForRemoteUser != nil {
	return m.DoGetIDForRemoteUser(ctx, remoteUserID, provider, clientID)
	}
	return -1, nil
	}

	func (m MockOAuthDatastore) CreateUser(cfg config.Config, u *User, username string) error {
	if m.DoCreateUser != nil {
	return m.DoCreateUser(cfg, u, username)
	}
	u.ID = 1
	return nil
	}

	func (m *MockOAuthDatastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID, provider, clientID, accessToken string) error {
	if m.DoRecordRemoteUserID != nil {
	return m.DoRecordRemoteUserID(ctx, localUserID, remoteUserID, provider, clientID, accessToken)
	}
	return nil
	}

	-func (m MockOAuthDatastore) GetUserForAuthByID(userID int64) (User, error) {
	- if m.DoGetUserForAuthByID != nil {
	- return m.DoGetUserForAuthByID(userID)
	+func (m MockOAuthDatastore) GetUserByID(userID int64) (User, error) {
	+ if m.DoGetUserByID != nil {
	+ return m.DoGetUserByID(userID)
	}
	user := &User{

	}
	return user, nil
	}

	func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context, provider string, clientID string) (string, error) {
	if m.DoGenerateOAuthState != nil {
	return m.DoGenerateOAuthState(ctx, provider, clientID)
	}
	return store.Generate62RandomString(14), nil
	}

	func TestViewOauthInit(t *testing.T) {

	t.Run("success", func(t *testing.T) {
	app := &MockOAuthDatastoreProvider{}
	h := oauthHandler{
	- Config: app.Config(),
	- DB: app.DB(),
	- Store: app.SessionStore(),
	+ Config: app.Config(),
	+ DB: app.DB(),
	+ Store: app.SessionStore(),
	EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
	oauthClient: writeAsOauthClient{
	ClientID: app.Config().WriteAsOauth.ClientID,
	ClientSecret: app.Config().WriteAsOauth.ClientSecret,
	ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
	InspectLocation: app.Config().WriteAsOauth.InspectLocation,
	AuthLocation: app.Config().WriteAsOauth.AuthLocation,
	CallbackLocation: "http://localhost/oauth/callback",
	HttpClient: nil,
	},
	}
	req, err := http.NewRequest("GET", "/oauth/client", nil)
	assert.NoError(t, err)
	rr := httptest.NewRecorder()
	err = h.viewOauthInit(nil, rr, req)
	assert.NotNil(t, err)
	httpErr, ok := err.(impart.HTTPError)
	assert.True(t, ok)
	assert.Equal(t, http.StatusTemporaryRedirect, httpErr.Status)
	assert.NotEmpty(t, httpErr.Message)
	locURI, err := url.Parse(httpErr.Message)
	assert.NoError(t, err)
	assert.Equal(t, "/oauth/login", locURI.Path)
	assert.Equal(t, "development", locURI.Query().Get("client_id"))
	assert.Equal(t, "http://localhost/oauth/callback", locURI.Query().Get("redirect_uri"))
	assert.Equal(t, "code", locURI.Query().Get("response_type"))
	assert.NotEmpty(t, locURI.Query().Get("state"))
	})

	t.Run("state failure", func(t *testing.T) {
	app := &MockOAuthDatastoreProvider{
	DoDB: func() OAuthDatastore {
	return &MockOAuthDatastore{
	DoGenerateOAuthState: func(ctx context.Context, provider, clientID string) (string, error) {
	return "", fmt.Errorf("pretend unable to write state error")
	},
	}
	},
	}
	h := oauthHandler{
	- Config: app.Config(),
	- DB: app.DB(),
	- Store: app.SessionStore(),
	+ Config: app.Config(),
	+ DB: app.DB(),
	+ Store: app.SessionStore(),
	EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
	oauthClient: writeAsOauthClient{
	ClientID: app.Config().WriteAsOauth.ClientID,
	ClientSecret: app.Config().WriteAsOauth.ClientSecret,
	ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
	InspectLocation: app.Config().WriteAsOauth.InspectLocation,
	AuthLocation: app.Config().WriteAsOauth.AuthLocation,
	CallbackLocation: "http://localhost/oauth/callback",
	HttpClient: nil,
	},
	}
	req, err := http.NewRequest("GET", "/oauth/client", nil)
	assert.NoError(t, err)
	rr := httptest.NewRecorder()
	err = h.viewOauthInit(nil, rr, req)
	httpErr, ok := err.(impart.HTTPError)
	assert.True(t, ok)
	assert.NotEmpty(t, httpErr.Message)
	assert.Equal(t, http.StatusInternalServerError, httpErr.Status)
	assert.Equal(t, "could not prepare oauth redirect url", httpErr.Message)
	})
	}

	func TestViewOauthCallback(t *testing.T) {
	t.Run("success", func(t *testing.T) {
	app := &MockOAuthDatastoreProvider{}
	h := oauthHandler{
	- Config: app.Config(),
	- DB: app.DB(),
	- Store: app.SessionStore(),
	+ Config: app.Config(),
	+ DB: app.DB(),
	+ Store: app.SessionStore(),
	EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
	oauthClient: writeAsOauthClient{
	ClientID: app.Config().WriteAsOauth.ClientID,
	ClientSecret: app.Config().WriteAsOauth.ClientSecret,
	ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
	InspectLocation: app.Config().WriteAsOauth.InspectLocation,
	AuthLocation: app.Config().WriteAsOauth.AuthLocation,
	CallbackLocation: "http://localhost/oauth/callback",
	HttpClient: &MockHTTPClient{
	DoDo: func(req http.Request) (http.Response, error) {
	switch req.URL.String() {
	case "https://write.as/oauth/token":
	return &http.Response{
	StatusCode: 200,
	Body: &StringReadCloser{strings.NewReader(`{"access_token": "access_token", "expires_in": 1000, "refresh_token": "refresh_token", "token_type": "access"}`)},
	}, nil
	case "https://write.as/oauth/inspect":
	return &http.Response{
	StatusCode: 200,
	Body: &StringReadCloser{strings.NewReader(`{"client_id": "development", "user_id": "1", "expires_at": "2019-12-19T11:42:01Z", "username": "nick", "email": "nick@testing.write.as"}`)},
	}, nil
	}

	return &http.Response{
	StatusCode: http.StatusNotFound,
	}, nil
	},
	},
	},
	}
	req, err := http.NewRequest("GET", "/oauth/callback", nil)
	assert.NoError(t, err)
	rr := httptest.NewRecorder()
	err = h.viewOauthCallback(nil, rr, req)
	assert.NoError(t, err)
	assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
	})
	}

File Metadata

Mime Type: text/x-diff
Expires: Sun, Nov 23, 9:19 AM (1 d, 16 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3500534

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions