chronograf/oauth2/generic.go

package oauth2

import (
	"bytes"
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"strings"

	gojwt "github.com/golang-jwt/jwt/v4"
	"github.com/influxdata/chronograf"
	"golang.org/x/oauth2"
)

// ExtendedProvider extendts the base Provider interface with optional methods
type ExtendedProvider interface {
	Provider
	// get PrincipalID from id_token
	PrincipalIDFromClaims(claims gojwt.MapClaims) (string, error)
	GroupFromClaims(claims gojwt.MapClaims) (string, error)
}

var _ ExtendedProvider = &Generic{}

// Generic provides OAuth Login and Callback server and is modeled
// after the Github OAuth2 provider. Callback will set an authentication
// cookie.  This cookie's value is a JWT containing the user's primary
// email address.
type Generic struct {
	PageName       string // Name displayed on the login page
	ClientID       string
	ClientSecret   string
	RequiredScopes []string
	Domains        []string // Optional email domain checking
	RedirectURL    string
	AuthURL        string
	TokenURL       string
	APIURL         string // APIURL returns OpenID Userinfo
	APIKey         string // APIKey is the JSON key to lookup email address in APIURL response
	Logger         chronograf.Logger
}

// Name is the name of the provider
func (g *Generic) Name() string {
	if g.PageName == "" {
		return "generic"
	}
	return g.PageName
}

// ID returns the generic application client id
func (g *Generic) ID() string {
	return g.ClientID
}

// Secret returns the generic application client secret
func (g *Generic) Secret() string {
	return g.ClientSecret
}

// Scopes for generic provider required of the client.
func (g *Generic) Scopes() []string {
	return g.RequiredScopes
}

// Config is the Generic OAuth2 exchange information and endpoints
func (g *Generic) Config() *oauth2.Config {
	return &oauth2.Config{
		ClientID:     g.ID(),
		ClientSecret: g.Secret(),
		Scopes:       g.Scopes(),
		RedirectURL:  g.RedirectURL,
		Endpoint: oauth2.Endpoint{
			AuthURL:  g.AuthURL,
			TokenURL: g.TokenURL,
		},
	}
}

// PrincipalID returns the email address of the user.
func (g *Generic) PrincipalID(provider *http.Client) (string, error) {
	res := map[string]interface{}{}

	r, err := provider.Get(g.APIURL)
	if err != nil {
		return "", err
	}

	defer r.Body.Close()
	if err = json.NewDecoder(r.Body).Decode(&res); err != nil {
		return "", err
	}

	email := ""
	value := res[g.APIKey]
	if e, ok := value.(string); ok {
		email = e
	}

	// If we did not receive an email address, try to lookup the email
	// in a similar way as github
	if email == "" {
		email, err = g.getPrimaryEmail(provider)
		if err != nil {
			return "", err
		}
	}

	// If we need to restrict to a set of domains, we first get the org
	// and filter.
	if len(g.Domains) > 0 {
		// If not in the domain deny permission
		if ok := ofDomain(g.Domains, email); !ok {
			msg := "Not a member of required domain"
			g.Logger.Error(msg)
			return "", fmt.Errorf(msg)
		}
	}

	return email, nil
}

// Group returns the domain that a user belongs to in the
// the generic OAuth.
func (g *Generic) Group(provider *http.Client) (string, error) {
	res := map[string]interface{}{}

	r, err := provider.Get(g.APIURL)
	if err != nil {
		return "", err
	}

	defer r.Body.Close()
	if err = json.NewDecoder(r.Body).Decode(&res); err != nil {
		return "", err
	}

	email := ""
	value := res[g.APIKey]
	if e, ok := value.(string); ok {
		email = e
	}

	// If we did not receive an email address, try to lookup the email
	// in a similar way as github
	if email == "" {
		email, err = g.getPrimaryEmail(provider)
		if err != nil {
			return "", err
		}
	}

	domain := strings.Split(email, "@")
	if len(domain) != 2 {
		return "", fmt.Errorf("malformed email address, expected %q to contain @ symbol", email)
	}

	return domain[1], nil
}

// UserEmail represents user's email address
type UserEmail struct {
	Email    *string `json:"email,omitempty"`
	Primary  *bool   `json:"primary,omitempty"`
	Verified *bool   `json:"verified,omitempty"`
	// support also indicators sent by bitbucket
	IsPrimary   *bool `json:"is_primary,omitempty"`
	IsConfirmed *bool `json:"is_confirmed,omitempty"`
}

// WrappedUserEmails represents (bitbucket's) structure that wraps email addresses in a values field
type WrappedUserEmails struct {
	Emails []*UserEmail `json:"values,omitempty"`
}

// getPrimaryEmail gets the private email account for the authenticated user.
func (g *Generic) getPrimaryEmail(client *http.Client) (string, error) {
	emailsEndpoint := g.APIURL + "/emails"
	r, err := client.Get(emailsEndpoint)
	if err != nil {
		return "", err
	}
	defer r.Body.Close()
	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		return "", err
	}
	if len(body) == 0 {
		return "", errors.New("No response body from /emails")
	}
	emails := []*UserEmail{}
	if body[0] == '[' {
		// array of UserEmail
		if err = json.NewDecoder(bytes.NewReader(body)).Decode(&emails); err != nil {
			return "", err
		}
	} else if body[0] == '{' {
		// a struct with values that contain []*UserEmail{}
		wrapped := WrappedUserEmails{}
		if err = json.NewDecoder(bytes.NewReader(body)).Decode(&wrapped); err != nil {
			return "", err
		}
		emails = wrapped.Emails
	}

	email, err := g.primaryEmail(emails)
	if err != nil {
		g.Logger.Error("Unable to retrieve primary email ", err.Error())
		return "", err
	}
	return email, nil
}

func (g *Generic) primaryEmail(emails []*UserEmail) (string, error) {
	var email string
	for _, m := range emails {
		if m != nil && m.Email != nil && ((m.Verified != nil) || (m.IsConfirmed != nil)) {
			if email != "" {
				email = *m.Email
			}
			if (m.Primary != nil && *m.Primary) || (m.IsPrimary != nil && *m.IsPrimary) {
				return *m.Email, nil
			}
		}
	}
	if email == "" {
		return "", errors.New("No primary email address")
	}
	return email, nil
}

// ofDomain makes sure that the email is in one of the required domains
func ofDomain(requiredDomains []string, email string) bool {
	for _, domain := range requiredDomains {
		emailDomain := fmt.Sprintf("@%s", domain)
		if strings.HasSuffix(email, emailDomain) {
			return true
		}
	}
	return false
}

// PrincipalIDFromClaims verifies an optional id_token and extracts email address of the user
func (g *Generic) PrincipalIDFromClaims(claims gojwt.MapClaims) (string, error) {
	if id, ok := claims[g.APIKey].(string); ok {
		return id, nil
	}
	return "", fmt.Errorf("no claim for %s", g.APIKey)
}

// GroupFromClaims verifies an optional id_token, extracts the email address of the user and splits off the domain part
func (g *Generic) GroupFromClaims(claims gojwt.MapClaims) (string, error) {
	if id, ok := claims[g.APIKey].(string); ok {
		email := strings.Split(id, "@")
		if len(email) != 2 {
			g.Logger.Error("malformed email address, expected %q to contain @ symbol", id)
			return "DEFAULT", nil
		}

		return email[1], nil
	}

	return "", fmt.Errorf("no claim for %s", g.APIKey)
}
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`package oauth2`

			`import (`
feat(oauth): support bitbucket primary email retrieval 2020-12-14 17:06:11 +00:00			`"bytes"`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`"encoding/json"`
			`"errors"`
			`"fmt"`
feat(oauth): support bitbucket primary email retrieval 2020-12-14 17:06:11 +00:00			`"io/ioutil"`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`"net/http"`
			`"strings"`

fix(security): upgrade jwt to resolve CVE-2020-26160 2021-08-04 05:36:49 +00:00			`gojwt "github.com/golang-jwt/jwt/v4"`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`"github.com/influxdata/chronograf"`
			`"golang.org/x/oauth2"`
			`)`

merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00			`// ExtendedProvider extendts the base Provider interface with optional methods`
handle extra id_token in callback 2017-12-10 17:33:50 +00:00			`type ExtendedProvider interface {`
go fmt + got vet 2017-12-13 08:13:11 +00:00			`Provider`
			`// get PrincipalID from id_token`
			`PrincipalIDFromClaims(claims gojwt.MapClaims) (string, error)`
merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00			`GroupFromClaims(claims gojwt.MapClaims) (string, error)`
handle extra id_token in callback 2017-12-10 17:33:50 +00:00			`}`

			`var _ ExtendedProvider = &Generic{}`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00
			`// Generic provides OAuth Login and Callback server and is modeled`
			`// after the Github OAuth2 provider. Callback will set an authentication`
			`// cookie. This cookie's value is a JWT containing the user's primary`
			`// email address.`
			`type Generic struct {`
Add configurable scopes to generic oauth2 support 2017-04-07 19:58:35 +00:00			`PageName string // Name displayed on the login page`
			`ClientID string`
			`ClientSecret string`
			`RequiredScopes []string`
			`Domains []string // Optional email domain checking`
Add redirect url to generic oauth 2017-06-16 09:35:57 +00:00			`RedirectURL string`
Add configurable scopes to generic oauth2 support 2017-04-07 19:58:35 +00:00			`AuthURL string`
			`TokenURL string`
			`APIURL string // APIURL returns OpenID Userinfo`
Add GENERIC_API_KEY to override of oauth2 responses to support azure 2017-11-21 22:53:04 +00:00			`APIKey string // APIKey is the JSON key to lookup email address in APIURL response`
Add configurable scopes to generic oauth2 support 2017-04-07 19:58:35 +00:00			`Logger chronograf.Logger`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`}`

			`// Name is the name of the provider`
			`func (g *Generic) Name() string {`
Add renaming of generic oauth2 provider 2017-04-06 21:45:13 +00:00			`if g.PageName == "" {`
			`return "generic"`
			`}`
			`return g.PageName`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`}`

			`// ID returns the generic application client id`
			`func (g *Generic) ID() string {`
			`return g.ClientID`
			`}`

			`// Secret returns the generic application client secret`
			`func (g *Generic) Secret() string {`
			`return g.ClientSecret`
			`}`

Add configurable scopes to generic oauth2 support 2017-04-07 19:58:35 +00:00			`// Scopes for generic provider required of the client.`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`func (g *Generic) Scopes() []string {`
Add configurable scopes to generic oauth2 support 2017-04-07 19:58:35 +00:00			`return g.RequiredScopes`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`}`

			`// Config is the Generic OAuth2 exchange information and endpoints`
			`func (g Generic) Config() oauth2.Config {`
			`return &oauth2.Config{`
			`ClientID: g.ID(),`
			`ClientSecret: g.Secret(),`
			`Scopes: g.Scopes(),`
Add redirect url to generic oauth 2017-06-16 09:35:57 +00:00			`RedirectURL: g.RedirectURL,`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`Endpoint: oauth2.Endpoint{`
			`AuthURL: g.AuthURL,`
			`TokenURL: g.TokenURL,`
			`},`
			`}`
			`}`

			`// PrincipalID returns the email address of the user.`
			`func (g Generic) PrincipalID(provider http.Client) (string, error) {`
Add GENERIC_API_KEY to override of oauth2 responses to support azure 2017-11-21 22:53:04 +00:00			`res := map[string]interface{}{}`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00
			`r, err := provider.Get(g.APIURL)`
			`if err != nil {`
			`return "", err`
			`}`

			`defer r.Body.Close()`
			`if err = json.NewDecoder(r.Body).Decode(&res); err != nil {`
			`return "", err`
			`}`

Add GENERIC_API_KEY to override of oauth2 responses to support azure 2017-11-21 22:53:04 +00:00			`email := ""`
			`value := res[g.APIKey]`
			`if e, ok := value.(string); ok {`
			`email = e`
			`}`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00
			`// If we did not receive an email address, try to lookup the email`
			`// in a similar way as github`
			`if email == "" {`
			`email, err = g.getPrimaryEmail(provider)`
			`if err != nil {`
			`return "", err`
			`}`
			`}`

			`// If we need to restrict to a set of domains, we first get the org`
			`// and filter.`
			`if len(g.Domains) > 0 {`
			`// If not in the domain deny permission`
			`if ok := ofDomain(g.Domains, email); !ok {`
			`msg := "Not a member of required domain"`
			`g.Logger.Error(msg)`
			`return "", fmt.Errorf(msg)`
			`}`
			`}`

			`return email, nil`
			`}`

merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00			`// Group returns the domain that a user belongs to in the`
			`// the generic OAuth.`
			`func (g Generic) Group(provider http.Client) (string, error) {`
Use Generic APIKey for Oauth2 group lookup 2018-02-22 15:40:22 +00:00			`res := map[string]interface{}{}`
merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00
			`r, err := provider.Get(g.APIURL)`
			`if err != nil {`
			`return "", err`
			`}`

			`defer r.Body.Close()`
			`if err = json.NewDecoder(r.Body).Decode(&res); err != nil {`
			`return "", err`
			`}`

Use Generic APIKey for Oauth2 group lookup 2018-02-22 15:40:22 +00:00			`email := ""`
			`value := res[g.APIKey]`
			`if e, ok := value.(string); ok {`
			`email = e`
			`}`

			`// If we did not receive an email address, try to lookup the email`
			`// in a similar way as github`
			`if email == "" {`
			`email, err = g.getPrimaryEmail(provider)`
			`if err != nil {`
			`return "", err`
			`}`
			`}`

			`domain := strings.Split(email, "@")`
			`if len(domain) != 2 {`
			`return "", fmt.Errorf("malformed email address, expected %q to contain @ symbol", email)`
merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00			`}`

Use Generic APIKey for Oauth2 group lookup 2018-02-22 15:40:22 +00:00			`return domain[1], nil`
merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00			`}`

Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`// UserEmail represents user's email address`
			`type UserEmail struct {`
			Email *string `json:"email,omitempty"`
			Primary *bool `json:"primary,omitempty"`
			Verified *bool `json:"verified,omitempty"`
feat(oauth): support bitbucket primary email retrieval 2020-12-14 17:06:11 +00:00			`// support also indicators sent by bitbucket`
			IsPrimary *bool `json:"is_primary,omitempty"`
			IsConfirmed *bool `json:"is_confirmed,omitempty"`
			`}`

			`// WrappedUserEmails represents (bitbucket's) structure that wraps email addresses in a values field`
			`type WrappedUserEmails struct {`
			Emails []*UserEmail `json:"values,omitempty"`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`}`

			`// getPrimaryEmail gets the private email account for the authenticated user.`
			`func (g Generic) getPrimaryEmail(client http.Client) (string, error) {`
			`emailsEndpoint := g.APIURL + "/emails"`
			`r, err := client.Get(emailsEndpoint)`
			`if err != nil {`
			`return "", err`
			`}`
			`defer r.Body.Close()`
feat(oauth): support bitbucket primary email retrieval 2020-12-14 17:06:11 +00:00			`body, err := ioutil.ReadAll(r.Body)`
			`if err != nil {`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`return "", err`
			`}`
feat(oauth): support bitbucket primary email retrieval 2020-12-14 17:06:11 +00:00			`if len(body) == 0 {`
			`return "", errors.New("No response body from /emails")`
			`}`
			`emails := []*UserEmail{}`
			`if body[0] == '[' {`
			`// array of UserEmail`
			`if err = json.NewDecoder(bytes.NewReader(body)).Decode(&emails); err != nil {`
			`return "", err`
			`}`
			`} else if body[0] == '{' {`
			`// a struct with values that contain []*UserEmail{}`
			`wrapped := WrappedUserEmails{}`
			`if err = json.NewDecoder(bytes.NewReader(body)).Decode(&wrapped); err != nil {`
			`return "", err`
			`}`
			`emails = wrapped.Emails`
			`}`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00
			`email, err := g.primaryEmail(emails)`
			`if err != nil {`
			`g.Logger.Error("Unable to retrieve primary email ", err.Error())`
			`return "", err`
			`}`
			`return email, nil`
			`}`

			`func (g Generic) primaryEmail(emails []UserEmail) (string, error) {`
feat(oauth): test bitbucket group retrieval 2020-12-17 06:40:24 +00:00			`var email string`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`for _, m := range emails {`
feat(oauth): test bitbucket group retrieval 2020-12-17 06:40:24 +00:00			`if m != nil && m.Email != nil && ((m.Verified != nil) \|\| (m.IsConfirmed != nil)) {`
			`if email != "" {`
			`email = *m.Email`
			`}`
			`if (m.Primary != nil && m.Primary) \|\| (m.IsPrimary != nil && m.IsPrimary) {`
			`return *m.Email, nil`
			`}`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`}`
			`}`
feat(oauth): test bitbucket group retrieval 2020-12-17 06:40:24 +00:00			`if email == "" {`
			`return "", errors.New("No primary email address")`
			`}`
			`return email, nil`
Add implementation of generic oauth2 provider based on github concepts 2017-04-06 15:19:07 +00:00			`}`

			`// ofDomain makes sure that the email is in one of the required domains`
			`func ofDomain(requiredDomains []string, email string) bool {`
			`for _, domain := range requiredDomains {`
			`emailDomain := fmt.Sprintf("@%s", domain)`
			`if strings.HasSuffix(email, emailDomain) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`
handle extra id_token in callback 2017-12-10 17:33:50 +00:00
merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00			`// PrincipalIDFromClaims verifies an optional id_token and extracts email address of the user`
handle extra id_token in callback 2017-12-10 17:33:50 +00:00			`func (g *Generic) PrincipalIDFromClaims(claims gojwt.MapClaims) (string, error) {`
go fmt + got vet 2017-12-13 08:13:11 +00:00			`if id, ok := claims[g.APIKey].(string); ok {`
			`return id, nil`
			`}`
			`return "", fmt.Errorf("no claim for %s", g.APIKey)`
handle extra id_token in callback 2017-12-10 17:33:50 +00:00			`}`
merged upstream, updated comments, added GroupFromClaims() 2018-02-20 08:47:42 +00:00
			`// GroupFromClaims verifies an optional id_token, extracts the email address of the user and splits off the domain part`
			`func (g *Generic) GroupFromClaims(claims gojwt.MapClaims) (string, error) {`
			`if id, ok := claims[g.APIKey].(string); ok {`
			`email := strings.Split(id, "@")`
			`if len(email) != 2 {`
			`g.Logger.Error("malformed email address, expected %q to contain @ symbol", id)`
			`return "DEFAULT", nil`
			`}`

			`return email[1], nil`
			`}`

			`return "", fmt.Errorf("no claim for %s", g.APIKey)`
			`}`