influxdb/oauth2/github.go

package oauth2

import (
	"crypto/rand"
	"encoding/base64"
	"errors"
	"io"
	"net/http"

	"github.com/google/go-github/github"
	"github.com/influxdata/chronograf"
	"golang.org/x/oauth2"
	ogh "golang.org/x/oauth2/github"
)

var _ Provider = &Github{}

// Github provides OAuth Login and Callback server. Callback will set
// an authentication cookie.  This cookie's value is a JWT containing
// the user's primary Github email address.
type Github struct {
	Auth         Authenticator
	ClientID     string
	ClientSecret string
	Orgs         []string // Optional github organization checking
	Logger       chronograf.Logger
}

// ID returns the github application client id
func (g *Github) ID() string {
	return g.ClientID
}

// Secret returns the github application client secret
func (g *Github) Secret() string {
	return g.ClientSecret
}

// Scopes for github is only the email addres and possible organizations if
// we are filtering by organizations.
func (g *Github) Scopes() []string {
	scopes := []string{"user:email"}
	if len(g.Orgs) > 0 {
		scopes = append(scopes, "read:org")
	}
	return scopes
}

// NewGithub constructs a Github with default scopes.
func NewGithub(clientID, clientSecret string, orgs []string, auth Authenticator, log chronograf.Logger) Github {
	scopes := []string{"user:email"}
	if len(orgs) > 0 {
		scopes = append(scopes, "read:org")
	}
	return Github{
		ClientID:     clientID,
		ClientSecret: clientSecret,
		Orgs:         orgs,
		Auth:         auth,
		Logger:       log,
	}
}

// Config is the Github OAuth2 exchange information and endpoints
func (g *Github) Config() *oauth2.Config {
	return &oauth2.Config{
		ClientID:     g.ID(),
		ClientSecret: g.Secret(),
		Scopes:       g.Scopes(),
		Endpoint:     ogh.Endpoint,
	}
}

// PrincipalID returns the github email address of the user.
func (g *Github) PrincipalID(provider *http.Client) (string, error) {
	client := github.NewClient(provider)
	// If we need to restrict to a set of organizations, we first get the org
	// and filter.
	if len(g.Orgs) > 0 {
		orgs, err := getOrganizations(client, g.Logger)
		if err != nil {
			return "", err
		}
		// Not a member, so, deny permission
		if ok := isMember(g.Orgs, orgs); !ok {
			g.Logger.Error("Not a member of required github organization")
			return "", err
		}
	}

	email, err := getPrimaryEmail(client, g.Logger)
	if err != nil {
		return "", nil
	}
	return email, nil
}

func randomString(length int) string {
	k := make([]byte, length)
	if _, err := io.ReadFull(rand.Reader, k); err != nil {
		return ""
	}
	return base64.StdEncoding.EncodeToString(k)
}

func logResponseError(log chronograf.Logger, resp *github.Response, err error) {
	switch resp.StatusCode {
	case http.StatusUnauthorized, http.StatusForbidden:
		log.Error("OAuth access to email address forbidden ", err.Error())
	default:
		log.Error("Unable to retrieve Github email ", err.Error())
	}
}

// isMember makes sure that the user is in one of the required organizations
func isMember(requiredOrgs []string, userOrgs []*github.Organization) bool {
	for _, requiredOrg := range requiredOrgs {
		for _, userOrg := range userOrgs {
			if userOrg.Login != nil && *userOrg.Login == requiredOrg {
				return true
			}
		}
	}
	return false
}

// getOrganizations gets all organization for the currently authenticated user
func getOrganizations(client *github.Client, log chronograf.Logger) ([]*github.Organization, error) {
	// Get all pages of results
	var allOrgs []*github.Organization
	for {
		opt := &github.ListOptions{
			PerPage: 10,
		}
		// Get the organizations for the current authenticated user.
		orgs, resp, err := client.Organizations.List("", opt)
		if err != nil {
			logResponseError(log, resp, err)
			return nil, err
		}
		allOrgs = append(allOrgs, orgs...)
		if resp.NextPage == 0 {
			break
		}
		opt.Page = resp.NextPage
	}
	return allOrgs, nil
}

// getPrimaryEmail gets the primary email account for the authenticated user.
func getPrimaryEmail(client *github.Client, log chronograf.Logger) (string, error) {
	emails, resp, err := client.Users.ListEmails(nil)
	if err != nil {
		logResponseError(log, resp, err)
		return "", err
	}

	email, err := primaryEmail(emails)
	if err != nil {
		log.Error("Unable to retrieve primary Github email ", err.Error())
		return "", err
	}
	return email, nil
}

func primaryEmail(emails []*github.UserEmail) (string, error) {
	for _, m := range emails {
		if m != nil && m.Primary != nil && m.Verified != nil && m.Email != nil {
			return *m.Email, nil
		}
	}
	return "", errors.New("No primary email address")
}
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`package oauth2`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00
			`import (`
			`"crypto/rand"`
			`"encoding/base64"`
			`"errors"`
			`"io"`
			`"net/http"`

			`"github.com/google/go-github/github"`
Update to chronograf from mrfusion 2016-10-20 23:01:14 +00:00			`"github.com/influxdata/chronograf"`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`"golang.org/x/oauth2"`
			`ogh "golang.org/x/oauth2/github"`
			`)`

Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`var _ Provider = &Github{}`
WIP 2017-02-14 00:02:43 +00:00
Refactor to remove autogenerated code. 2016-10-25 15:20:06 +00:00			`// Github provides OAuth Login and Callback server. Callback will set`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`// an authentication cookie. This cookie's value is a JWT containing`
			`// the user's primary Github email address.`
			`type Github struct {`
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`Auth Authenticator`
WIP 2017-02-12 20:51:36 +00:00			`ClientID string`
			`ClientSecret string`
			`Orgs []string // Optional github organization checking`
			`Logger chronograf.Logger`
			`}`

WIP 2017-02-14 00:02:43 +00:00			`// ID returns the github application client id`
WIP 2017-02-12 20:51:36 +00:00			`func (g *Github) ID() string {`
			`return g.ClientID`
			`}`

WIP 2017-02-14 00:02:43 +00:00			`// Secret returns the github application client secret`
WIP 2017-02-12 20:51:36 +00:00			`func (g *Github) Secret() string {`
			`return g.ClientSecret`
			`}`

WIP 2017-02-14 00:02:43 +00:00			`// Scopes for github is only the email addres and possible organizations if`
			`// we are filtering by organizations.`
WIP 2017-02-12 20:51:36 +00:00			`func (g *Github) Scopes() []string {`
			`scopes := []string{"user:email"}`
			`if len(g.Orgs) > 0 {`
			`scopes = append(scopes, "read:org")`
			`}`
			`return scopes`
			`}`

WIP 2017-02-14 00:02:43 +00:00			`// NewGithub constructs a Github with default scopes.`
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage. 2017-02-14 21:14:24 +00:00			`func NewGithub(clientID, clientSecret string, orgs []string, auth Authenticator, log chronograf.Logger) Github {`
Add Github organization restriction to authentication 2017-01-05 17:29:26 +00:00			`scopes := []string{"user:email"}`
			`if len(orgs) > 0 {`
			`scopes = append(scopes, "read:org")`
			`}`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`return Github{`
WIP 2017-02-12 20:51:36 +00:00			`ClientID: clientID,`
			`ClientSecret: clientSecret,`
			`Orgs: orgs,`
			`Auth: auth,`
			`Logger: log,`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`}`
			`}`

WIP 2017-02-14 00:02:43 +00:00			`// Config is the Github OAuth2 exchange information and endpoints`
			`func (g Github) Config() oauth2.Config {`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`return &oauth2.Config{`
WIP 2017-02-12 20:51:36 +00:00			`ClientID: g.ID(),`
			`ClientSecret: g.Secret(),`
			`Scopes: g.Scopes(),`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`Endpoint: ogh.Endpoint,`
			`}`
			`}`

WIP 2017-02-14 00:02:43 +00:00			`// PrincipalID returns the github email address of the user.`
			`func (g Github) PrincipalID(provider http.Client) (string, error) {`
			`client := github.NewClient(provider)`
			`// If we need to restrict to a set of organizations, we first get the org`
			`// and filter.`
			`if len(g.Orgs) > 0 {`
			`orgs, err := getOrganizations(client, g.Logger)`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`if err != nil {`
WIP 2017-02-14 00:02:43 +00:00			`return "", err`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`}`
WIP 2017-02-14 00:02:43 +00:00			`// Not a member, so, deny permission`
			`if ok := isMember(g.Orgs, orgs); !ok {`
			`g.Logger.Error("Not a member of required github organization")`
			`return "", err`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`}`
WIP 2017-02-14 00:02:43 +00:00			`}`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00
WIP 2017-02-14 00:02:43 +00:00			`email, err := getPrimaryEmail(client, g.Logger)`
			`if err != nil {`
			`return "", nil`
			`}`
			`return email, nil`
Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`}`

			`func randomString(length int) string {`
			`k := make([]byte, length)`
			`if _, err := io.ReadFull(rand.Reader, k); err != nil {`
			`return ""`
			`}`
			`return base64.StdEncoding.EncodeToString(k)`
			`}`

Add Github organization restriction to authentication 2017-01-05 17:29:26 +00:00			`func logResponseError(log chronograf.Logger, resp *github.Response, err error) {`
			`switch resp.StatusCode {`
			`case http.StatusUnauthorized, http.StatusForbidden:`
			`log.Error("OAuth access to email address forbidden ", err.Error())`
			`default:`
			`log.Error("Unable to retrieve Github email ", err.Error())`
			`}`
			`}`

			`// isMember makes sure that the user is in one of the required organizations`
			`func isMember(requiredOrgs []string, userOrgs []*github.Organization) bool {`
			`for _, requiredOrg := range requiredOrgs {`
			`for _, userOrg := range userOrgs {`
			`if userOrg.Login != nil && *userOrg.Login == requiredOrg {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

			`// getOrganizations gets all organization for the currently authenticated user`
			`func getOrganizations(client github.Client, log chronograf.Logger) ([]github.Organization, error) {`
			`// Get all pages of results`
			`var allOrgs []*github.Organization`
			`for {`
			`opt := &github.ListOptions{`
			`PerPage: 10,`
			`}`
			`// Get the organizations for the current authenticated user.`
			`orgs, resp, err := client.Organizations.List("", opt)`
			`if err != nil {`
			`logResponseError(log, resp, err)`
			`return nil, err`
			`}`
			`allOrgs = append(allOrgs, orgs...)`
			`if resp.NextPage == 0 {`
			`break`
			`}`
			`opt.Page = resp.NextPage`
			`}`
			`return allOrgs, nil`
			`}`

			`// getPrimaryEmail gets the primary email account for the authenticated user.`
			`func getPrimaryEmail(client *github.Client, log chronograf.Logger) (string, error) {`
			`emails, resp, err := client.Users.ListEmails(nil)`
			`if err != nil {`
			`logResponseError(log, resp, err)`
			`return "", err`
			`}`

			`email, err := primaryEmail(emails)`
			`if err != nil {`
			`log.Error("Unable to retrieve primary Github email ", err.Error())`
			`return "", err`
			`}`
			`return email, nil`
			`}`

Add Github OAuth, JWT cookie values, and principal in context. 2016-10-16 01:34:57 +00:00			`func primaryEmail(emails []*github.UserEmail) (string, error) {`
			`for _, m := range emails {`
			`if m != nil && m.Primary != nil && m.Verified != nil && m.Email != nil {`
			`return *m.Email, nil`
			`}`
			`}`
			`return "", errors.New("No primary email address")`
			`}`