influxdb/oauth2/heroku.go

package oauth2

import (
	"encoding/json"
	"net/http"

	"github.com/influxdata/chronograf"

	"golang.org/x/oauth2"
	hrk "golang.org/x/oauth2/heroku"
)

// Ensure that Heroku is an oauth2.Provider
var _ Provider = &Heroku{}

const (
	// Routes required for interacting with Heroku API
	HEROKU_ACCOUNT_ROUTE string = "https://api.heroku.com/account"
)

// Heroku is an OAuth2 Provider allowing users to authenticate with Heroku to
// gain access to Chronograf
type Heroku struct {
	// OAuth2 Secrets
	ClientID     string
	ClientSecret string

	Organizations []string // set of organizations permitted to access the protected resource. Empty means "all"

	Logger chronograf.Logger
}

// Config returns the OAuth2 exchange information and endpoints
func (h *Heroku) Config() *oauth2.Config {
	return &oauth2.Config{
		ClientID:     h.ID(),
		ClientSecret: h.Secret(),
		Scopes:       h.Scopes(),
		Endpoint:     hrk.Endpoint,
	}
}

// ID returns the Heroku application client ID
func (h *Heroku) ID() string {
	return h.ClientID
}

// Name returns the name of this provider (heroku)
func (h *Heroku) Name() string {
	return "heroku"
}

// PrincipalID returns the Heroku email address of the user.
func (h *Heroku) PrincipalID(provider *http.Client) (string, error) {
	type DefaultOrg struct {
		ID   string `json:"id"`
		Name string `json:"name"`
	}
	type Account struct {
		Email               string     `json:"email"`
		DefaultOrganization DefaultOrg `json:"default_organization"`
	}

	resp, err := provider.Get(HEROKU_ACCOUNT_ROUTE)
	if err != nil {
		h.Logger.Error("Unable to communicate with Heroku. err:", err)
		return "", err
	}
	defer resp.Body.Close()
	d := json.NewDecoder(resp.Body)
	var account Account
	if err := d.Decode(&account); err != nil {
		h.Logger.Error("Unable to decode response from Heroku. err:", err)
		return "", err
	}

	// check if member of org
	if len(h.Organizations) > 0 {
		for _, org := range h.Organizations {
			if account.DefaultOrganization.Name == org {
				return account.Email, nil
			}
		}
		h.Logger.Error(ErrOrgMembership)
		return "", ErrOrgMembership
	} else {
		return account.Email, nil
	}
}

// Scopes for heroku is "identity" which grants access to user account
// information. This will grant us access to the user's email address which is
// used as the Principal's identifier.
func (h *Heroku) Scopes() []string {
	return []string{"identity"}
}

// Secret returns the Heroku application client secret
func (h *Heroku) Secret() string {
	return h.ClientSecret
}
Add Heroku Oauth2 Provider This adds an Oauth2 Provider for authenticating users against Heroku's API. In contrast to other Providers, a maintained client library for interacting with the Heroku API was not available, so direct HTTP calls are made instead. This follows with their documentation posted here: https://devcenter.heroku.com/articles/oauth2-heroku-go 2017-02-16 17:05:55 +00:00			`package oauth2`

			`import (`
			`"encoding/json"`
			`"net/http"`

			`"github.com/influxdata/chronograf"`

			`"golang.org/x/oauth2"`
Configure Heroku OAuth2 properly This was erroneously left unconfigured during dev. 2017-02-16 17:56:01 +00:00			`hrk "golang.org/x/oauth2/heroku"`
Add Heroku Oauth2 Provider This adds an Oauth2 Provider for authenticating users against Heroku's API. In contrast to other Providers, a maintained client library for interacting with the Heroku API was not available, so direct HTTP calls are made instead. This follows with their documentation posted here: https://devcenter.heroku.com/articles/oauth2-heroku-go 2017-02-16 17:05:55 +00:00			`)`

			`// Ensure that Heroku is an oauth2.Provider`
			`var _ Provider = &Heroku{}`

			`const (`
			`// Routes required for interacting with Heroku API`
			`HEROKU_ACCOUNT_ROUTE string = "https://api.heroku.com/account"`
			`)`

			`// Heroku is an OAuth2 Provider allowing users to authenticate with Heroku to`
			`// gain access to Chronograf`
			`type Heroku struct {`
			`// OAuth2 Secrets`
			`ClientID string`
			`ClientSecret string`

Add organization restriction on Heroku provider This allows operators to permit access to Chronograf only to users belonging to a set of specific Heroku organizations. This is controlled using the HEROKU_ORGS env or the --heroku-organizations switch. 2017-02-21 18:04:17 +00:00			`Organizations []string // set of organizations permitted to access the protected resource. Empty means "all"`

Add Heroku Oauth2 Provider This adds an Oauth2 Provider for authenticating users against Heroku's API. In contrast to other Providers, a maintained client library for interacting with the Heroku API was not available, so direct HTTP calls are made instead. This follows with their documentation posted here: https://devcenter.heroku.com/articles/oauth2-heroku-go 2017-02-16 17:05:55 +00:00			`Logger chronograf.Logger`
			`}`

			`// Config returns the OAuth2 exchange information and endpoints`
			`func (h Heroku) Config() oauth2.Config {`
Configure Heroku OAuth2 properly This was erroneously left unconfigured during dev. 2017-02-16 17:56:01 +00:00			`return &oauth2.Config{`
			`ClientID: h.ID(),`
			`ClientSecret: h.Secret(),`
			`Scopes: h.Scopes(),`
			`Endpoint: hrk.Endpoint,`
			`}`
Add Heroku Oauth2 Provider This adds an Oauth2 Provider for authenticating users against Heroku's API. In contrast to other Providers, a maintained client library for interacting with the Heroku API was not available, so direct HTTP calls are made instead. This follows with their documentation posted here: https://devcenter.heroku.com/articles/oauth2-heroku-go 2017-02-16 17:05:55 +00:00			`}`

			`// ID returns the Heroku application client ID`
			`func (h *Heroku) ID() string {`
			`return h.ClientID`
			`}`

			`// Name returns the name of this provider (heroku)`
			`func (h *Heroku) Name() string {`
			`return "heroku"`
			`}`

			`// PrincipalID returns the Heroku email address of the user.`
			`func (h Heroku) PrincipalID(provider http.Client) (string, error) {`
Add organization restriction on Heroku provider This allows operators to permit access to Chronograf only to users belonging to a set of specific Heroku organizations. This is controlled using the HEROKU_ORGS env or the --heroku-organizations switch. 2017-02-21 18:04:17 +00:00			`type DefaultOrg struct {`
			ID string `json:"id"`
			Name string `json:"name"`
			`}`
			`type Account struct {`
			Email string `json:"email"`
			DefaultOrganization DefaultOrg `json:"default_organization"`
			`}`

Add Heroku Oauth2 Provider This adds an Oauth2 Provider for authenticating users against Heroku's API. In contrast to other Providers, a maintained client library for interacting with the Heroku API was not available, so direct HTTP calls are made instead. This follows with their documentation posted here: https://devcenter.heroku.com/articles/oauth2-heroku-go 2017-02-16 17:05:55 +00:00			`resp, err := provider.Get(HEROKU_ACCOUNT_ROUTE)`
			`if err != nil {`
			`h.Logger.Error("Unable to communicate with Heroku. err:", err)`
			`return "", err`
			`}`
			`defer resp.Body.Close()`
			`d := json.NewDecoder(resp.Body)`
Add organization restriction on Heroku provider This allows operators to permit access to Chronograf only to users belonging to a set of specific Heroku organizations. This is controlled using the HEROKU_ORGS env or the --heroku-organizations switch. 2017-02-21 18:04:17 +00:00			`var account Account`
Add Heroku Oauth2 Provider This adds an Oauth2 Provider for authenticating users against Heroku's API. In contrast to other Providers, a maintained client library for interacting with the Heroku API was not available, so direct HTTP calls are made instead. This follows with their documentation posted here: https://devcenter.heroku.com/articles/oauth2-heroku-go 2017-02-16 17:05:55 +00:00			`if err := d.Decode(&account); err != nil {`
			`h.Logger.Error("Unable to decode response from Heroku. err:", err)`
			`return "", err`
			`}`
Add organization restriction on Heroku provider This allows operators to permit access to Chronograf only to users belonging to a set of specific Heroku organizations. This is controlled using the HEROKU_ORGS env or the --heroku-organizations switch. 2017-02-21 18:04:17 +00:00
			`// check if member of org`
			`if len(h.Organizations) > 0 {`
			`for _, org := range h.Organizations {`
			`if account.DefaultOrganization.Name == org {`
			`return account.Email, nil`
			`}`
			`}`
			`h.Logger.Error(ErrOrgMembership)`
			`return "", ErrOrgMembership`
			`} else {`
			`return account.Email, nil`
			`}`
Add Heroku Oauth2 Provider This adds an Oauth2 Provider for authenticating users against Heroku's API. In contrast to other Providers, a maintained client library for interacting with the Heroku API was not available, so direct HTTP calls are made instead. This follows with their documentation posted here: https://devcenter.heroku.com/articles/oauth2-heroku-go 2017-02-16 17:05:55 +00:00			`}`

			`// Scopes for heroku is "identity" which grants access to user account`
			`// information. This will grant us access to the user's email address which is`
			`// used as the Principal's identifier.`
			`func (h *Heroku) Scopes() []string {`
			`return []string{"identity"}`
			`}`

			`// Secret returns the Heroku application client secret`
			`func (h *Heroku) Secret() string {`
			`return h.ClientSecret`
			`}`