mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-25 11:33:11 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			678 lines
		
	
	
	
		
			22 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			678 lines
		
	
	
	
		
			22 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2019 The Gitea Authors. All rights reserved.
 | |
| // SPDX-License-Identifier: MIT
 | |
| 
 | |
| package auth
 | |
| 
 | |
| import (
 | |
| 	"context"
 | |
| 	"crypto/sha256"
 | |
| 	"encoding/base32"
 | |
| 	"encoding/base64"
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"net"
 | |
| 	"net/url"
 | |
| 	"strings"
 | |
| 
 | |
| 	"code.gitea.io/gitea/models/db"
 | |
| 	"code.gitea.io/gitea/modules/container"
 | |
| 	"code.gitea.io/gitea/modules/setting"
 | |
| 	"code.gitea.io/gitea/modules/timeutil"
 | |
| 	"code.gitea.io/gitea/modules/util"
 | |
| 
 | |
| 	uuid "github.com/google/uuid"
 | |
| 	"golang.org/x/crypto/bcrypt"
 | |
| 	"xorm.io/builder"
 | |
| 	"xorm.io/xorm"
 | |
| )
 | |
| 
 | |
| // OAuth2Application represents an OAuth2 client (RFC 6749)
 | |
| type OAuth2Application struct {
 | |
| 	ID           int64 `xorm:"pk autoincr"`
 | |
| 	UID          int64 `xorm:"INDEX"`
 | |
| 	Name         string
 | |
| 	ClientID     string `xorm:"unique"`
 | |
| 	ClientSecret string
 | |
| 	// OAuth defines both Confidential and Public client types
 | |
| 	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
 | |
| 	// "Authorization servers MUST record the client type in the client registration details"
 | |
| 	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
 | |
| 	ConfidentialClient bool               `xorm:"NOT NULL DEFAULT TRUE"`
 | |
| 	RedirectURIs       []string           `xorm:"redirect_uris JSON TEXT"`
 | |
| 	CreatedUnix        timeutil.TimeStamp `xorm:"INDEX created"`
 | |
| 	UpdatedUnix        timeutil.TimeStamp `xorm:"INDEX updated"`
 | |
| }
 | |
| 
 | |
| func init() {
 | |
| 	db.RegisterModel(new(OAuth2Application))
 | |
| 	db.RegisterModel(new(OAuth2AuthorizationCode))
 | |
| 	db.RegisterModel(new(OAuth2Grant))
 | |
| }
 | |
| 
 | |
| type BuiltinOAuth2Application struct {
 | |
| 	ConfigName   string
 | |
| 	DisplayName  string
 | |
| 	RedirectURIs []string
 | |
| }
 | |
| 
 | |
| func BuiltinApplications() map[string]*BuiltinOAuth2Application {
 | |
| 	m := make(map[string]*BuiltinOAuth2Application)
 | |
| 	m["a4792ccc-144e-407e-86c9-5e7d8d9c3269"] = &BuiltinOAuth2Application{
 | |
| 		ConfigName:   "git-credential-oauth",
 | |
| 		DisplayName:  "git-credential-oauth",
 | |
| 		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},
 | |
| 	}
 | |
| 	m["e90ee53c-94e2-48ac-9358-a874fb9e0662"] = &BuiltinOAuth2Application{
 | |
| 		ConfigName:   "git-credential-manager",
 | |
| 		DisplayName:  "Git Credential Manager",
 | |
| 		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},
 | |
| 	}
 | |
| 	m["d57cb8c4-630c-4168-8324-ec79935e18d4"] = &BuiltinOAuth2Application{
 | |
| 		ConfigName:   "tea",
 | |
| 		DisplayName:  "tea",
 | |
| 		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},
 | |
| 	}
 | |
| 	return m
 | |
| }
 | |
| 
 | |
| func BuiltinApplicationsClientIDs() (clientIDs []string) {
 | |
| 	for clientID := range BuiltinApplications() {
 | |
| 		clientIDs = append(clientIDs, clientID)
 | |
| 	}
 | |
| 	return clientIDs
 | |
| }
 | |
| 
 | |
| func Init(ctx context.Context) error {
 | |
| 	builtinApps := BuiltinApplications()
 | |
| 	var builtinAllClientIDs []string
 | |
| 	for clientID := range builtinApps {
 | |
| 		builtinAllClientIDs = append(builtinAllClientIDs, clientID)
 | |
| 	}
 | |
| 
 | |
| 	var registeredApps []*OAuth2Application
 | |
| 	if err := db.GetEngine(ctx).In("client_id", builtinAllClientIDs).Find(®isteredApps); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	clientIDsToAdd := container.Set[string]{}
 | |
| 	for _, configName := range setting.OAuth2.DefaultApplications {
 | |
| 		found := false
 | |
| 		for clientID, builtinApp := range builtinApps {
 | |
| 			if builtinApp.ConfigName == configName {
 | |
| 				clientIDsToAdd.Add(clientID) // add all user-configured apps to the "add" list
 | |
| 				found = true
 | |
| 			}
 | |
| 		}
 | |
| 		if !found {
 | |
| 			return fmt.Errorf("unknown oauth2 application: %q", configName)
 | |
| 		}
 | |
| 	}
 | |
| 	clientIDsToDelete := container.Set[string]{}
 | |
| 	for _, app := range registeredApps {
 | |
| 		if !clientIDsToAdd.Contains(app.ClientID) {
 | |
| 			clientIDsToDelete.Add(app.ClientID) // if a registered app is not in the "add" list, it should be deleted
 | |
| 		}
 | |
| 	}
 | |
| 	for _, app := range registeredApps {
 | |
| 		clientIDsToAdd.Remove(app.ClientID) // no need to re-add existing (registered) apps, so remove them from the set
 | |
| 	}
 | |
| 
 | |
| 	for _, app := range registeredApps {
 | |
| 		if clientIDsToDelete.Contains(app.ClientID) {
 | |
| 			if err := deleteOAuth2Application(ctx, app.ID, 0); err != nil {
 | |
| 				return err
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	for clientID := range clientIDsToAdd {
 | |
| 		builtinApp := builtinApps[clientID]
 | |
| 		if err := db.Insert(ctx, &OAuth2Application{
 | |
| 			Name:         builtinApp.DisplayName,
 | |
| 			ClientID:     clientID,
 | |
| 			RedirectURIs: builtinApp.RedirectURIs,
 | |
| 		}); err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // TableName sets the table name to `oauth2_application`
 | |
| func (app *OAuth2Application) TableName() string {
 | |
| 	return "oauth2_application"
 | |
| }
 | |
| 
 | |
| // ContainsRedirectURI checks if redirectURI is allowed for app
 | |
| func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
 | |
| 	// OAuth2 requires the redirect URI to be an exact match, no dynamic parts are allowed.
 | |
| 	// https://stackoverflow.com/questions/55524480/should-dynamic-query-parameters-be-present-in-the-redirection-uri-for-an-oauth2
 | |
| 	// https://www.rfc-editor.org/rfc/rfc6819#section-5.2.3.3
 | |
| 	// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 | |
| 	// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-12#section-3.1
 | |
| 	contains := func(s string) bool {
 | |
| 		s = strings.TrimSuffix(strings.ToLower(s), "/")
 | |
| 		for _, u := range app.RedirectURIs {
 | |
| 			if strings.TrimSuffix(strings.ToLower(u), "/") == s {
 | |
| 				return true
 | |
| 			}
 | |
| 		}
 | |
| 		return false
 | |
| 	}
 | |
| 	if !app.ConfidentialClient {
 | |
| 		uri, err := url.Parse(redirectURI)
 | |
| 		// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
 | |
| 		if err == nil && uri.Scheme == "http" && uri.Port() != "" {
 | |
| 			ip := net.ParseIP(uri.Hostname())
 | |
| 			if ip != nil && ip.IsLoopback() {
 | |
| 				// strip port
 | |
| 				uri.Host = uri.Hostname()
 | |
| 				if contains(uri.String()) {
 | |
| 					return true
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	return contains(redirectURI)
 | |
| }
 | |
| 
 | |
| // Base32 characters, but lowercased.
 | |
| const lowerBase32Chars = "abcdefghijklmnopqrstuvwxyz234567"
 | |
| 
 | |
| // base32 encoder that uses lowered characters without padding.
 | |
| var base32Lower = base32.NewEncoding(lowerBase32Chars).WithPadding(base32.NoPadding)
 | |
| 
 | |
| // GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database
 | |
| func (app *OAuth2Application) GenerateClientSecret(ctx context.Context) (string, error) {
 | |
| 	rBytes, err := util.CryptoRandomBytes(32)
 | |
| 	if err != nil {
 | |
| 		return "", err
 | |
| 	}
 | |
| 	// Add a prefix to the base32, this is in order to make it easier
 | |
| 	// for code scanners to grab sensitive tokens.
 | |
| 	clientSecret := "gto_" + base32Lower.EncodeToString(rBytes)
 | |
| 
 | |
| 	hashedSecret, err := bcrypt.GenerateFromPassword([]byte(clientSecret), bcrypt.DefaultCost)
 | |
| 	if err != nil {
 | |
| 		return "", err
 | |
| 	}
 | |
| 	app.ClientSecret = string(hashedSecret)
 | |
| 	if _, err := db.GetEngine(ctx).ID(app.ID).Cols("client_secret").Update(app); err != nil {
 | |
| 		return "", err
 | |
| 	}
 | |
| 	return clientSecret, nil
 | |
| }
 | |
| 
 | |
| // ValidateClientSecret validates the given secret by the hash saved in database
 | |
| func (app *OAuth2Application) ValidateClientSecret(secret []byte) bool {
 | |
| 	return bcrypt.CompareHashAndPassword([]byte(app.ClientSecret), secret) == nil
 | |
| }
 | |
| 
 | |
| // GetGrantByUserID returns a OAuth2Grant by its user and application ID
 | |
| func (app *OAuth2Application) GetGrantByUserID(ctx context.Context, userID int64) (grant *OAuth2Grant, err error) {
 | |
| 	grant = new(OAuth2Grant)
 | |
| 	if has, err := db.GetEngine(ctx).Where("user_id = ? AND application_id = ?", userID, app.ID).Get(grant); err != nil {
 | |
| 		return nil, err
 | |
| 	} else if !has {
 | |
| 		return nil, nil
 | |
| 	}
 | |
| 	return grant, nil
 | |
| }
 | |
| 
 | |
| // CreateGrant generates a grant for an user
 | |
| func (app *OAuth2Application) CreateGrant(ctx context.Context, userID int64, scope string) (*OAuth2Grant, error) {
 | |
| 	grant := &OAuth2Grant{
 | |
| 		ApplicationID: app.ID,
 | |
| 		UserID:        userID,
 | |
| 		Scope:         scope,
 | |
| 	}
 | |
| 	err := db.Insert(ctx, grant)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	return grant, nil
 | |
| }
 | |
| 
 | |
| // GetOAuth2ApplicationByClientID returns the oauth2 application with the given client_id. Returns an error if not found.
 | |
| func GetOAuth2ApplicationByClientID(ctx context.Context, clientID string) (app *OAuth2Application, err error) {
 | |
| 	app = new(OAuth2Application)
 | |
| 	has, err := db.GetEngine(ctx).Where("client_id = ?", clientID).Get(app)
 | |
| 	if !has {
 | |
| 		return nil, ErrOAuthClientIDInvalid{ClientID: clientID}
 | |
| 	}
 | |
| 	return app, err
 | |
| }
 | |
| 
 | |
| // GetOAuth2ApplicationByID returns the oauth2 application with the given id. Returns an error if not found.
 | |
| func GetOAuth2ApplicationByID(ctx context.Context, id int64) (app *OAuth2Application, err error) {
 | |
| 	app = new(OAuth2Application)
 | |
| 	has, err := db.GetEngine(ctx).ID(id).Get(app)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	if !has {
 | |
| 		return nil, ErrOAuthApplicationNotFound{ID: id}
 | |
| 	}
 | |
| 	return app, nil
 | |
| }
 | |
| 
 | |
| // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 | |
| type CreateOAuth2ApplicationOptions struct {
 | |
| 	Name               string
 | |
| 	UserID             int64
 | |
| 	ConfidentialClient bool
 | |
| 	RedirectURIs       []string
 | |
| }
 | |
| 
 | |
| // CreateOAuth2Application inserts a new oauth2 application
 | |
| func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOptions) (*OAuth2Application, error) {
 | |
| 	clientID := uuid.New().String()
 | |
| 	app := &OAuth2Application{
 | |
| 		UID:                opts.UserID,
 | |
| 		Name:               opts.Name,
 | |
| 		ClientID:           clientID,
 | |
| 		RedirectURIs:       opts.RedirectURIs,
 | |
| 		ConfidentialClient: opts.ConfidentialClient,
 | |
| 	}
 | |
| 	if err := db.Insert(ctx, app); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	return app, nil
 | |
| }
 | |
| 
 | |
| // UpdateOAuth2ApplicationOptions holds options to update an oauth2 application
 | |
| type UpdateOAuth2ApplicationOptions struct {
 | |
| 	ID                 int64
 | |
| 	Name               string
 | |
| 	UserID             int64
 | |
| 	ConfidentialClient bool
 | |
| 	RedirectURIs       []string
 | |
| }
 | |
| 
 | |
| // UpdateOAuth2Application updates an oauth2 application
 | |
| func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOptions) (*OAuth2Application, error) {
 | |
| 	ctx, committer, err := db.TxContext(ctx)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	defer committer.Close()
 | |
| 
 | |
| 	app, err := GetOAuth2ApplicationByID(ctx, opts.ID)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	if app.UID != opts.UserID {
 | |
| 		return nil, errors.New("UID mismatch")
 | |
| 	}
 | |
| 	builtinApps := BuiltinApplications()
 | |
| 	if _, builtin := builtinApps[app.ClientID]; builtin {
 | |
| 		return nil, fmt.Errorf("failed to edit OAuth2 application: application is locked: %s", app.ClientID)
 | |
| 	}
 | |
| 
 | |
| 	app.Name = opts.Name
 | |
| 	app.RedirectURIs = opts.RedirectURIs
 | |
| 	app.ConfidentialClient = opts.ConfidentialClient
 | |
| 
 | |
| 	if err = updateOAuth2Application(ctx, app); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	app.ClientSecret = ""
 | |
| 
 | |
| 	return app, committer.Commit()
 | |
| }
 | |
| 
 | |
| func updateOAuth2Application(ctx context.Context, app *OAuth2Application) error {
 | |
| 	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client").Update(app); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| func deleteOAuth2Application(ctx context.Context, id, userid int64) error {
 | |
| 	sess := db.GetEngine(ctx)
 | |
| 	// the userid could be 0 if the app is instance-wide
 | |
| 	if deleted, err := sess.Where(builder.Eq{"id": id, "uid": userid}).Delete(&OAuth2Application{}); err != nil {
 | |
| 		return err
 | |
| 	} else if deleted == 0 {
 | |
| 		return ErrOAuthApplicationNotFound{ID: id}
 | |
| 	}
 | |
| 	codes := make([]*OAuth2AuthorizationCode, 0)
 | |
| 	// delete correlating auth codes
 | |
| 	if err := sess.Join("INNER", "oauth2_grant",
 | |
| 		"oauth2_authorization_code.grant_id = oauth2_grant.id AND oauth2_grant.application_id = ?", id).Find(&codes); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	codeIDs := make([]int64, 0, len(codes))
 | |
| 	for _, grant := range codes {
 | |
| 		codeIDs = append(codeIDs, grant.ID)
 | |
| 	}
 | |
| 
 | |
| 	if _, err := sess.In("id", codeIDs).Delete(new(OAuth2AuthorizationCode)); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	if _, err := sess.Where("application_id = ?", id).Delete(new(OAuth2Grant)); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // DeleteOAuth2Application deletes the application with the given id and the grants and auth codes related to it. It checks if the userid was the creator of the app.
 | |
| func DeleteOAuth2Application(ctx context.Context, id, userid int64) error {
 | |
| 	ctx, committer, err := db.TxContext(ctx)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	defer committer.Close()
 | |
| 	app, err := GetOAuth2ApplicationByID(ctx, id)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	builtinApps := BuiltinApplications()
 | |
| 	if _, builtin := builtinApps[app.ClientID]; builtin {
 | |
| 		return fmt.Errorf("failed to delete OAuth2 application: application is locked: %s", app.ClientID)
 | |
| 	}
 | |
| 	if err := deleteOAuth2Application(ctx, id, userid); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	return committer.Commit()
 | |
| }
 | |
| 
 | |
| //////////////////////////////////////////////////////
 | |
| 
 | |
| // OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.
 | |
| type OAuth2AuthorizationCode struct {
 | |
| 	ID                  int64        `xorm:"pk autoincr"`
 | |
| 	Grant               *OAuth2Grant `xorm:"-"`
 | |
| 	GrantID             int64
 | |
| 	Code                string `xorm:"INDEX unique"`
 | |
| 	CodeChallenge       string
 | |
| 	CodeChallengeMethod string
 | |
| 	RedirectURI         string
 | |
| 	ValidUntil          timeutil.TimeStamp `xorm:"index"`
 | |
| }
 | |
| 
 | |
| // TableName sets the table name to `oauth2_authorization_code`
 | |
| func (code *OAuth2AuthorizationCode) TableName() string {
 | |
| 	return "oauth2_authorization_code"
 | |
| }
 | |
| 
 | |
| // GenerateRedirectURI generates a redirect URI for a successful authorization request. State will be used if not empty.
 | |
| func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL, error) {
 | |
| 	redirect, err := url.Parse(code.RedirectURI)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	q := redirect.Query()
 | |
| 	if state != "" {
 | |
| 		q.Set("state", state)
 | |
| 	}
 | |
| 	q.Set("code", code.Code)
 | |
| 	redirect.RawQuery = q.Encode()
 | |
| 	return redirect, err
 | |
| }
 | |
| 
 | |
| // Invalidate deletes the auth code from the database to invalidate this code
 | |
| func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error {
 | |
| 	_, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
 | |
| 	return err
 | |
| }
 | |
| 
 | |
| // ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.
 | |
| func (code *OAuth2AuthorizationCode) ValidateCodeChallenge(verifier string) bool {
 | |
| 	switch code.CodeChallengeMethod {
 | |
| 	case "S256":
 | |
| 		// base64url(SHA256(verifier)) see https://tools.ietf.org/html/rfc7636#section-4.6
 | |
| 		h := sha256.Sum256([]byte(verifier))
 | |
| 		hashedVerifier := base64.RawURLEncoding.EncodeToString(h[:])
 | |
| 		return hashedVerifier == code.CodeChallenge
 | |
| 	case "plain":
 | |
| 		return verifier == code.CodeChallenge
 | |
| 	case "":
 | |
| 		return true
 | |
| 	default:
 | |
| 		// unsupported method -> return false
 | |
| 		return false
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // GetOAuth2AuthorizationByCode returns an authorization by its code
 | |
| func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth2AuthorizationCode, err error) {
 | |
| 	auth = new(OAuth2AuthorizationCode)
 | |
| 	if has, err := db.GetEngine(ctx).Where("code = ?", code).Get(auth); err != nil {
 | |
| 		return nil, err
 | |
| 	} else if !has {
 | |
| 		return nil, nil
 | |
| 	}
 | |
| 	auth.Grant = new(OAuth2Grant)
 | |
| 	if has, err := db.GetEngine(ctx).ID(auth.GrantID).Get(auth.Grant); err != nil {
 | |
| 		return nil, err
 | |
| 	} else if !has {
 | |
| 		return nil, nil
 | |
| 	}
 | |
| 	return auth, nil
 | |
| }
 | |
| 
 | |
| //////////////////////////////////////////////////////
 | |
| 
 | |
| // OAuth2Grant represents the permission of an user for a specific application to access resources
 | |
| type OAuth2Grant struct {
 | |
| 	ID            int64              `xorm:"pk autoincr"`
 | |
| 	UserID        int64              `xorm:"INDEX unique(user_application)"`
 | |
| 	Application   *OAuth2Application `xorm:"-"`
 | |
| 	ApplicationID int64              `xorm:"INDEX unique(user_application)"`
 | |
| 	Counter       int64              `xorm:"NOT NULL DEFAULT 1"`
 | |
| 	Scope         string             `xorm:"TEXT"`
 | |
| 	Nonce         string             `xorm:"TEXT"`
 | |
| 	CreatedUnix   timeutil.TimeStamp `xorm:"created"`
 | |
| 	UpdatedUnix   timeutil.TimeStamp `xorm:"updated"`
 | |
| }
 | |
| 
 | |
| // TableName sets the table name to `oauth2_grant`
 | |
| func (grant *OAuth2Grant) TableName() string {
 | |
| 	return "oauth2_grant"
 | |
| }
 | |
| 
 | |
| // GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database
 | |
| func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redirectURI, codeChallenge, codeChallengeMethod string) (code *OAuth2AuthorizationCode, err error) {
 | |
| 	rBytes, err := util.CryptoRandomBytes(32)
 | |
| 	if err != nil {
 | |
| 		return &OAuth2AuthorizationCode{}, err
 | |
| 	}
 | |
| 	// Add a prefix to the base32, this is in order to make it easier
 | |
| 	// for code scanners to grab sensitive tokens.
 | |
| 	codeSecret := "gta_" + base32Lower.EncodeToString(rBytes)
 | |
| 
 | |
| 	code = &OAuth2AuthorizationCode{
 | |
| 		Grant:               grant,
 | |
| 		GrantID:             grant.ID,
 | |
| 		RedirectURI:         redirectURI,
 | |
| 		Code:                codeSecret,
 | |
| 		CodeChallenge:       codeChallenge,
 | |
| 		CodeChallengeMethod: codeChallengeMethod,
 | |
| 	}
 | |
| 	if err := db.Insert(ctx, code); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	return code, nil
 | |
| }
 | |
| 
 | |
| // IncreaseCounter increases the counter and updates the grant
 | |
| func (grant *OAuth2Grant) IncreaseCounter(ctx context.Context) error {
 | |
| 	_, err := db.GetEngine(ctx).ID(grant.ID).Incr("counter").Update(new(OAuth2Grant))
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	updatedGrant, err := GetOAuth2GrantByID(ctx, grant.ID)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	grant.Counter = updatedGrant.Counter
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // ScopeContains returns true if the grant scope contains the specified scope
 | |
| func (grant *OAuth2Grant) ScopeContains(scope string) bool {
 | |
| 	for _, currentScope := range strings.Split(grant.Scope, " ") {
 | |
| 		if scope == currentScope {
 | |
| 			return true
 | |
| 		}
 | |
| 	}
 | |
| 	return false
 | |
| }
 | |
| 
 | |
| // SetNonce updates the current nonce value of a grant
 | |
| func (grant *OAuth2Grant) SetNonce(ctx context.Context, nonce string) error {
 | |
| 	grant.Nonce = nonce
 | |
| 	_, err := db.GetEngine(ctx).ID(grant.ID).Cols("nonce").Update(grant)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // GetOAuth2GrantByID returns the grant with the given ID
 | |
| func GetOAuth2GrantByID(ctx context.Context, id int64) (grant *OAuth2Grant, err error) {
 | |
| 	grant = new(OAuth2Grant)
 | |
| 	if has, err := db.GetEngine(ctx).ID(id).Get(grant); err != nil {
 | |
| 		return nil, err
 | |
| 	} else if !has {
 | |
| 		return nil, nil
 | |
| 	}
 | |
| 	return grant, err
 | |
| }
 | |
| 
 | |
| // GetOAuth2GrantsByUserID lists all grants of a certain user
 | |
| func GetOAuth2GrantsByUserID(ctx context.Context, uid int64) ([]*OAuth2Grant, error) {
 | |
| 	type joinedOAuth2Grant struct {
 | |
| 		Grant       *OAuth2Grant       `xorm:"extends"`
 | |
| 		Application *OAuth2Application `xorm:"extends"`
 | |
| 	}
 | |
| 	var results *xorm.Rows
 | |
| 	var err error
 | |
| 	if results, err = db.GetEngine(ctx).
 | |
| 		Table("oauth2_grant").
 | |
| 		Where("user_id = ?", uid).
 | |
| 		Join("INNER", "oauth2_application", "application_id = oauth2_application.id").
 | |
| 		Rows(new(joinedOAuth2Grant)); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	defer results.Close()
 | |
| 	grants := make([]*OAuth2Grant, 0)
 | |
| 	for results.Next() {
 | |
| 		joinedGrant := new(joinedOAuth2Grant)
 | |
| 		if err := results.Scan(joinedGrant); err != nil {
 | |
| 			return nil, err
 | |
| 		}
 | |
| 		joinedGrant.Grant.Application = joinedGrant.Application
 | |
| 		grants = append(grants, joinedGrant.Grant)
 | |
| 	}
 | |
| 	return grants, nil
 | |
| }
 | |
| 
 | |
| // RevokeOAuth2Grant deletes the grant with grantID and userID
 | |
| func RevokeOAuth2Grant(ctx context.Context, grantID, userID int64) error {
 | |
| 	_, err := db.GetEngine(ctx).Where(builder.Eq{"id": grantID, "user_id": userID}).Delete(&OAuth2Grant{})
 | |
| 	return err
 | |
| }
 | |
| 
 | |
| // ErrOAuthClientIDInvalid will be thrown if client id cannot be found
 | |
| type ErrOAuthClientIDInvalid struct {
 | |
| 	ClientID string
 | |
| }
 | |
| 
 | |
| // IsErrOauthClientIDInvalid checks if an error is a ErrOAuthClientIDInvalid.
 | |
| func IsErrOauthClientIDInvalid(err error) bool {
 | |
| 	_, ok := err.(ErrOAuthClientIDInvalid)
 | |
| 	return ok
 | |
| }
 | |
| 
 | |
| // Error returns the error message
 | |
| func (err ErrOAuthClientIDInvalid) Error() string {
 | |
| 	return fmt.Sprintf("Client ID invalid [Client ID: %s]", err.ClientID)
 | |
| }
 | |
| 
 | |
| // Unwrap unwraps this as a ErrNotExist err
 | |
| func (err ErrOAuthClientIDInvalid) Unwrap() error {
 | |
| 	return util.ErrNotExist
 | |
| }
 | |
| 
 | |
| // ErrOAuthApplicationNotFound will be thrown if id cannot be found
 | |
| type ErrOAuthApplicationNotFound struct {
 | |
| 	ID int64
 | |
| }
 | |
| 
 | |
| // IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist.
 | |
| func IsErrOAuthApplicationNotFound(err error) bool {
 | |
| 	_, ok := err.(ErrOAuthApplicationNotFound)
 | |
| 	return ok
 | |
| }
 | |
| 
 | |
| // Error returns the error message
 | |
| func (err ErrOAuthApplicationNotFound) Error() string {
 | |
| 	return fmt.Sprintf("OAuth application not found [ID: %d]", err.ID)
 | |
| }
 | |
| 
 | |
| // Unwrap unwraps this as a ErrNotExist err
 | |
| func (err ErrOAuthApplicationNotFound) Unwrap() error {
 | |
| 	return util.ErrNotExist
 | |
| }
 | |
| 
 | |
| // GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name
 | |
| func GetActiveOAuth2SourceByName(ctx context.Context, name string) (*Source, error) {
 | |
| 	authSource := new(Source)
 | |
| 	has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	if !has {
 | |
| 		return nil, fmt.Errorf("oauth2 source not found, name: %q", name)
 | |
| 	}
 | |
| 
 | |
| 	return authSource, nil
 | |
| }
 | |
| 
 | |
| func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error {
 | |
| 	deleteCond := builder.Select("id").From("oauth2_grant").Where(builder.Eq{"oauth2_grant.user_id": userID})
 | |
| 
 | |
| 	if _, err := db.GetEngine(ctx).In("grant_id", deleteCond).
 | |
| 		Delete(&OAuth2AuthorizationCode{}); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	if err := db.DeleteBeans(ctx,
 | |
| 		&OAuth2Application{UID: userID},
 | |
| 		&OAuth2Grant{UserID: userID},
 | |
| 	); err != nil {
 | |
| 		return fmt.Errorf("DeleteBeans: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // CountOrphanedOAuth2Applications returns the amount of orphaned OAuth2 applications.
 | |
| func CountOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 | |
| 	return db.GetEngine(ctx).
 | |
| 		Table("`oauth2_application`").
 | |
| 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 | |
| 		Where(builder.IsNull{"`user`.id"}).
 | |
| 		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 | |
| 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs())).
 | |
| 		Select("COUNT(`oauth2_application`.`id`)").
 | |
| 		Count()
 | |
| }
 | |
| 
 | |
| // DeleteOrphanedOAuth2Applications deletes orphaned OAuth2 applications.
 | |
| func DeleteOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 | |
| 	subQuery := builder.Select("`oauth2_application`.id").
 | |
| 		From("`oauth2_application`").
 | |
| 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 | |
| 		Where(builder.IsNull{"`user`.id"}).
 | |
| 		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 | |
| 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs()))
 | |
| 
 | |
| 	b := builder.Delete(builder.In("id", subQuery)).From("`oauth2_application`")
 | |
| 	_, err := db.GetEngine(ctx).Exec(b)
 | |
| 	return -1, err
 | |
| }
 |