diff options
author | zeripath <art27@cantab.net> | 2021-08-06 02:11:08 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-05 21:11:08 -0400 |
commit | ab9bb54144f136bbbba2ce2e94fd88c0be0ee1cf (patch) | |
tree | f8b283e33e70cbc3d827879c4774de2b41450ab0 /vendor | |
parent | 7e7006e00d8d0d5ce4c871685d421269049e4b39 (diff) | |
download | gitea-ab9bb54144f136bbbba2ce2e94fd88c0be0ee1cf.tar.gz gitea-ab9bb54144f136bbbba2ce2e94fd88c0be0ee1cf.zip |
Add microsoft oauth2 providers (#16544)
* Clean up oauth2 providers
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add AzureAD, AzureADv2, MicrosoftOnline OAuth2 providers
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Apply suggestions from code review
* remove unused Scopes
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'vendor')
10 files changed, 1575 insertions, 0 deletions
diff --git a/vendor/github.com/markbates/going/LICENSE.txt b/vendor/github.com/markbates/going/LICENSE.txt new file mode 100644 index 0000000000..f8e6d5b27f --- /dev/null +++ b/vendor/github.com/markbates/going/LICENSE.txt @@ -0,0 +1,22 @@ +Copyright (c) 2014 Mark Bates + +MIT License + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/markbates/going/defaults/defaults.go b/vendor/github.com/markbates/going/defaults/defaults.go new file mode 100644 index 0000000000..0d81de6f42 --- /dev/null +++ b/vendor/github.com/markbates/going/defaults/defaults.go @@ -0,0 +1,36 @@ +package defaults + +func String(s1, s2 string) string { + if s1 == "" { + return s2 + } + return s1 +} + +func Int(i1, i2 int) int { + if i1 == 0 { + return i2 + } + return i1 +} + +func Int64(i1, i2 int64) int64 { + if i1 == 0 { + return i2 + } + return i1 +} + +func Float32(i1, i2 float32) float32 { + if i1 == 0.0 { + return i2 + } + return i1 +} + +func Float64(i1, i2 float64) float64 { + if i1 == 0.0 { + return i2 + } + return i1 +} diff --git a/vendor/github.com/markbates/goth/providers/azuread/azuread.go b/vendor/github.com/markbates/goth/providers/azuread/azuread.go new file mode 100644 index 0000000000..50fb47989b --- /dev/null +++ b/vendor/github.com/markbates/goth/providers/azuread/azuread.go @@ -0,0 +1,187 @@ +// Package azuread implements the OAuth2 protocol for authenticating users through AzureAD. +// This package can be used as a reference implementation of an OAuth2 provider for Goth. +// To use microsoft personal account use microsoftonline provider +package azuread + +import ( + "encoding/json" + "fmt" + "io" + "net/http" + "net/url" + "strings" + + "github.com/markbates/goth" + "golang.org/x/oauth2" +) + +const ( + authURL string = "https://login.microsoftonline.com/common/oauth2/authorize" + tokenURL string = "https://login.microsoftonline.com/common/oauth2/token" + endpointProfile string = "https://graph.windows.net/me?api-version=1.6" + graphAPIResource string = "https://graph.windows.net/" +) + +// New creates a new AzureAD provider, and sets up important connection details. +// You should always call `AzureAD.New` to get a new Provider. Never try to create +// one manually. +func New(clientKey, secret, callbackURL string, resources []string, scopes ...string) *Provider { + p := &Provider{ + ClientKey: clientKey, + Secret: secret, + CallbackURL: callbackURL, + providerName: "azuread", + } + + p.resources = make([]string, 0, 1+len(resources)) + p.resources = append(p.resources, graphAPIResource) + p.resources = append(p.resources, resources...) + + p.config = newConfig(p, scopes) + return p +} + +// Provider is the implementation of `goth.Provider` for accessing AzureAD. +type Provider struct { + ClientKey string + Secret string + CallbackURL string + HTTPClient *http.Client + config *oauth2.Config + providerName string + resources []string +} + +// Name is the name used to retrieve this provider later. +func (p *Provider) Name() string { + return p.providerName +} + +// SetName is to update the name of the provider (needed in case of multiple providers of 1 type) +func (p *Provider) SetName(name string) { + p.providerName = name +} + +// Client is HTTP client to be used in all fetch operations. +func (p *Provider) Client() *http.Client { + return goth.HTTPClientWithFallBack(p.HTTPClient) +} + +// Debug is a no-op for the package. +func (p *Provider) Debug(debug bool) {} + +// BeginAuth asks AzureAD for an authentication end-point. +func (p *Provider) BeginAuth(state string) (goth.Session, error) { + authURL := p.config.AuthCodeURL(state) + + // Azure ad requires at least one resource + authURL += "&resource=" + url.QueryEscape(strings.Join(p.resources, " ")) + + return &Session{ + AuthURL: authURL, + }, nil +} + +// FetchUser will go to AzureAD and access basic information about the user. +func (p *Provider) FetchUser(session goth.Session) (goth.User, error) { + msSession := session.(*Session) + user := goth.User{ + AccessToken: msSession.AccessToken, + Provider: p.Name(), + ExpiresAt: msSession.ExpiresAt, + } + + if user.AccessToken == "" { + return user, fmt.Errorf("%s cannot get user information without accessToken", p.providerName) + } + + req, err := http.NewRequest("GET", endpointProfile, nil) + if err != nil { + return user, err + } + + req.Header.Set(authorizationHeader(msSession)) + + response, err := p.Client().Do(req) + if err != nil { + return user, err + } + defer response.Body.Close() + + if response.StatusCode != http.StatusOK { + return user, fmt.Errorf("%s responded with a %d trying to fetch user information", p.providerName, response.StatusCode) + } + + err = userFromReader(response.Body, &user) + return user, err +} + +//RefreshTokenAvailable refresh token is provided by auth provider or not +func (p *Provider) RefreshTokenAvailable() bool { + return true +} + +//RefreshToken get new access token based on the refresh token +func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) { + token := &oauth2.Token{RefreshToken: refreshToken} + ts := p.config.TokenSource(goth.ContextForClient(p.Client()), token) + newToken, err := ts.Token() + if err != nil { + return nil, err + } + return newToken, err +} + +func newConfig(provider *Provider, scopes []string) *oauth2.Config { + c := &oauth2.Config{ + ClientID: provider.ClientKey, + ClientSecret: provider.Secret, + RedirectURL: provider.CallbackURL, + Endpoint: oauth2.Endpoint{ + AuthURL: authURL, + TokenURL: tokenURL, + }, + Scopes: []string{}, + } + + if len(scopes) > 0 { + for _, scope := range scopes { + c.Scopes = append(c.Scopes, scope) + } + } else { + c.Scopes = append(c.Scopes, "user_impersonation") + } + + return c +} + +func userFromReader(r io.Reader, user *goth.User) error { + u := struct { + Name string `json:"name"` + Email string `json:"mail"` + FirstName string `json:"givenName"` + LastName string `json:"surname"` + NickName string `json:"mailNickname"` + UserPrincipalName string `json:"userPrincipalName"` + Location string `json:"usageLocation"` + }{} + + err := json.NewDecoder(r).Decode(&u) + if err != nil { + return err + } + + user.Email = u.Email + user.Name = u.Name + user.FirstName = u.FirstName + user.LastName = u.LastName + user.NickName = u.Name + user.Location = u.Location + user.UserID = u.UserPrincipalName //AzureAD doesn't provide separate user_id + + return nil +} + +func authorizationHeader(session *Session) (string, string) { + return "Authorization", fmt.Sprintf("Bearer %s", session.AccessToken) +} diff --git a/vendor/github.com/markbates/goth/providers/azuread/session.go b/vendor/github.com/markbates/goth/providers/azuread/session.go new file mode 100644 index 0000000000..098a9dc6dc --- /dev/null +++ b/vendor/github.com/markbates/goth/providers/azuread/session.go @@ -0,0 +1,63 @@ +package azuread + +import ( + "encoding/json" + "errors" + "strings" + "time" + + "github.com/markbates/goth" +) + +// Session is the implementation of `goth.Session` for accessing AzureAD. +type Session struct { + AuthURL string + AccessToken string + RefreshToken string + ExpiresAt time.Time +} + +// GetAuthURL will return the URL set by calling the `BeginAuth` function on the Facebook provider. +func (s Session) GetAuthURL() (string, error) { + if s.AuthURL == "" { + return "", errors.New(goth.NoAuthUrlErrorMessage) + } + + return s.AuthURL, nil +} + +// Authorize the session with AzureAD and return the access token to be stored for future use. +func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string, error) { + p := provider.(*Provider) + token, err := p.config.Exchange(goth.ContextForClient(p.Client()), params.Get("code")) + if err != nil { + return "", err + } + + if !token.Valid() { + return "", errors.New("invalid token received from provider") + } + + s.AccessToken = token.AccessToken + s.RefreshToken = token.RefreshToken + s.ExpiresAt = token.Expiry + + return token.AccessToken, err +} + +// Marshal the session into a string +func (s Session) Marshal() string { + b, _ := json.Marshal(s) + return string(b) +} + +func (s Session) String() string { + return s.Marshal() +} + +// UnmarshalSession wil unmarshal a JSON string into a session. +func (p *Provider) UnmarshalSession(data string) (goth.Session, error) { + session := &Session{} + err := json.NewDecoder(strings.NewReader(data)).Decode(session) + return session, err +} diff --git a/vendor/github.com/markbates/goth/providers/azureadv2/azureadv2.go b/vendor/github.com/markbates/goth/providers/azureadv2/azureadv2.go new file mode 100644 index 0000000000..f293816a76 --- /dev/null +++ b/vendor/github.com/markbates/goth/providers/azureadv2/azureadv2.go @@ -0,0 +1,233 @@ +package azureadv2 + +import ( + "encoding/json" + "fmt" + "io" + "io/ioutil" + "net/http" + + "github.com/markbates/goth" + "golang.org/x/oauth2" +) + +// also https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints +const ( + authURLTemplate string = "https://login.microsoftonline.com/%s/oauth2/v2.0/authorize" + tokenURLTemplate string = "https://login.microsoftonline.com/%s/oauth2/v2.0/token" + graphAPIResource string = "https://graph.microsoft.com/v1.0/" +) + +type ( + // TenantType are the well known tenant types to scope the users that can authenticate. TenantType is not an + // exclusive list of Azure Tenants which can be used. A consumer can also use their own Tenant ID to scope + // authentication to their specific Tenant either through the Tenant ID or the friendly domain name. + // + // see also https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints + TenantType string + + // Provider is the implementation of `goth.Provider` for accessing AzureAD V2. + Provider struct { + ClientKey string + Secret string + CallbackURL string + HTTPClient *http.Client + config *oauth2.Config + providerName string + } + + // ProviderOptions are the collection of optional configuration to provide when constructing a Provider + ProviderOptions struct { + Scopes []ScopeType + Tenant TenantType + } +) + +// These are the well known Azure AD Tenants. These are not an exclusive list of all Tenants +// +// See also https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints +const ( + // CommonTenant allows users with both personal Microsoft accounts and work/school accounts from Azure Active + // Directory to sign into the application. + CommonTenant TenantType = "common" + + // OrganizationsTenant allows only users with work/school accounts from Azure Active Directory to sign into the application. + OrganizationsTenant TenantType = "organizations" + + // ConsumersTenant allows only users with personal Microsoft accounts (MSA) to sign into the application. + ConsumersTenant TenantType = "consumers" +) + +// New creates a new AzureAD provider, and sets up important connection details. +// You should always call `AzureAD.New` to get a new Provider. Never try to create +// one manually. +func New(clientKey, secret, callbackURL string, opts ProviderOptions) *Provider { + p := &Provider{ + ClientKey: clientKey, + Secret: secret, + CallbackURL: callbackURL, + providerName: "azureadv2", + } + + p.config = newConfig(p, opts) + return p +} + +func newConfig(provider *Provider, opts ProviderOptions) *oauth2.Config { + tenant := opts.Tenant + if tenant == "" { + tenant = CommonTenant + } + + c := &oauth2.Config{ + ClientID: provider.ClientKey, + ClientSecret: provider.Secret, + RedirectURL: provider.CallbackURL, + Endpoint: oauth2.Endpoint{ + AuthURL: fmt.Sprintf(authURLTemplate, tenant), + TokenURL: fmt.Sprintf(tokenURLTemplate, tenant), + }, + Scopes: []string{}, + } + + if len(opts.Scopes) > 0 { + c.Scopes = append(c.Scopes, scopesToStrings(opts.Scopes...)...) + } else { + defaultScopes := scopesToStrings(OpenIDScope, ProfileScope, EmailScope, UserReadScope) + c.Scopes = append(c.Scopes, defaultScopes...) + } + + return c +} + +// Name is the name used to retrieve this provider later. +func (p *Provider) Name() string { + return p.providerName +} + +// SetName is to update the name of the provider (needed in case of multiple providers of 1 type) +func (p *Provider) SetName(name string) { + p.providerName = name +} + +// Client is HTTP client to be used in all fetch operations. +func (p *Provider) Client() *http.Client { + return goth.HTTPClientWithFallBack(p.HTTPClient) +} + +// Debug is a no-op for the package +func (p *Provider) Debug(debug bool) {} + +// BeginAuth asks for an authentication end-point for AzureAD. +func (p *Provider) BeginAuth(state string) (goth.Session, error) { + authURL := p.config.AuthCodeURL(state) + + return &Session{ + AuthURL: authURL, + }, nil +} + +// FetchUser will go to AzureAD and access basic information about the user. +func (p *Provider) FetchUser(session goth.Session) (goth.User, error) { + msSession := session.(*Session) + user := goth.User{ + AccessToken: msSession.AccessToken, + Provider: p.Name(), + ExpiresAt: msSession.ExpiresAt, + } + + if user.AccessToken == "" { + return user, fmt.Errorf("%s cannot get user information without accessToken", p.providerName) + } + + req, err := http.NewRequest("GET", graphAPIResource+"me", nil) + if err != nil { + return user, err + } + + req.Header.Set(authorizationHeader(msSession)) + + response, err := p.Client().Do(req) + if err != nil { + return user, err + } + defer response.Body.Close() + + if response.StatusCode != http.StatusOK { + return user, fmt.Errorf("%s responded with a %d trying to fetch user information", p.providerName, response.StatusCode) + } + + err = userFromReader(response.Body, &user) + user.AccessToken = msSession.AccessToken + user.RefreshToken = msSession.RefreshToken + user.ExpiresAt = msSession.ExpiresAt + return user, err +} + +//RefreshTokenAvailable refresh token is provided by auth provider or not +func (p *Provider) RefreshTokenAvailable() bool { + return true +} + +//RefreshToken get new access token based on the refresh token +func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) { + token := &oauth2.Token{RefreshToken: refreshToken} + ts := p.config.TokenSource(goth.ContextForClient(p.Client()), token) + newToken, err := ts.Token() + if err != nil { + return nil, err + } + return newToken, err +} + +func authorizationHeader(session *Session) (string, string) { + return "Authorization", fmt.Sprintf("Bearer %s", session.AccessToken) +} + +func userFromReader(r io.Reader, user *goth.User) error { + u := struct { + ID string `json:"id"` // The unique identifier for the user. + BusinessPhones []string `json:"businessPhones"` // The user's phone numbers. + DisplayName string `json:"displayName"` // The name displayed in the address book for the user. + FirstName string `json:"givenName"` // The first name of the user. + JobTitle string `json:"jobTitle"` // The user's job title. + Email string `json:"mail"` // The user's email address. + MobilePhone string `json:"mobilePhone"` // The user's cellphone number. + OfficeLocation string `json:"officeLocation"` // The user's physical office location. + PreferredLanguage string `json:"preferredLanguage"` // The user's language of preference. + LastName string `json:"surname"` // The last name of the user. + UserPrincipalName string `json:"userPrincipalName"` // The user's principal name. + }{} + + userBytes, err := ioutil.ReadAll(r) + if err != nil { + return err + } + + if err := json.Unmarshal(userBytes, &u); err != nil { + return err + } + + user.Email = u.Email + user.Name = u.DisplayName + user.FirstName = u.FirstName + user.LastName = u.LastName + user.NickName = u.DisplayName + user.Location = u.OfficeLocation + user.UserID = u.ID + user.AvatarURL = graphAPIResource + fmt.Sprintf("users/%s/photo/$value", u.ID) + // Make sure all of the information returned is available via RawData + if err := json.Unmarshal(userBytes, &user.RawData); err != nil { + return err + } + + return nil +} + +func scopesToStrings(scopes ...ScopeType) []string { + strs := make([]string, len(scopes)) + for i := 0; i < len(scopes); i++ { + strs[i] = string(scopes[i]) + } + return strs +} diff --git a/vendor/github.com/markbates/goth/providers/azureadv2/scopes.go b/vendor/github.com/markbates/goth/providers/azureadv2/scopes.go new file mode 100644 index 0000000000..8dcedef323 --- /dev/null +++ b/vendor/github.com/markbates/goth/providers/azureadv2/scopes.go @@ -0,0 +1,714 @@ +package azureadv2 + +type ( + // ScopeType are the well known scopes which can be requested + ScopeType string +) + +// OpenID Permissions +// +// You can use these permissions to specify artifacts that you want returned in Azure AD authorization and token +// requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints. +// +// With the Azure AD (v1.0) endpoint, only the openid permission is used. You specify it in the scope parameter in an +// authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. +// For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To +// successfully return an ID token, you must also make sure that the User.Read permission is configured when you +// register your app. +// +// With the Azure AD v2.0 endpoint, you specify the offline_access permission in the scope parameter to explicitly +// request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the +// openid permission to request an ID token. You can also specify the email permission, profile permission, or both to +// return additional claims in the ID token. You do not need to specify User.Read to return an ID token with the v2.0 +// endpoint. For more information, see OpenID Connect scopes. +const ( + // OpenIDScope shows on the work account consent page as the "Sign you in" permission, and on the personal Microsoft + // account consent page as the "View your profile and connect to apps and services using your Microsoft account" + // permission. With this permission, an app can receive a unique identifier for the user in the form of the sub + // claim. It also gives the app access to the UserInfo endpoint. The openid scope can be used at the v2.0 token + // endpoint to acquire ID tokens, which can be used to secure HTTP calls between different components of an app. + OpenIDScope ScopeType = "openid" + + // EmailScope can be used with the openid scope and any others. It gives the app access to the user's primary + // email address in the form of the email claim. The email claim is included in a token only if an email address is + // associated with the user account, which is not always the case. If it uses the email scope, your app should be + // prepared to handle a case in which the email claim does not exist in the token. + EmailScope ScopeType = "email" + + // ProfileScope can be used with the openid scope and any others. It gives the app access to a substantial + // amount of information about the user. The information it can access includes, but is not limited to, the user's + // given name, surname, preferred username, and object ID. For a complete list of the profile claims available in + // the id_tokens parameter for a specific user, see the v2.0 tokens reference: + // https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-id-and-access-tokens. + ProfileScope ScopeType = "profile" + + // OfflineAccessScope gives your app access to resources on behalf of the user for an extended time. On the work + // account consent page, this scope appears as the "Access your data anytime" permission. On the personal Microsoft + // account consent page, it appears as the "Access your info anytime" permission. When a user approves the + // offline_access scope, your app can receive refresh tokens from the v2.0 token endpoint. Refresh tokens are + // long-lived. Your app can get new access tokens as older ones expire. + // + // If your app does not request the offline_access scope, it won't receive refresh tokens. This means that when you + // redeem an authorization code in the OAuth 2.0 authorization code flow, you'll receive only an access token from + // the /token endpoint. The access token is valid for a short time. The access token usually expires in one hour. + // At that point, your app needs to redirect the user back to the /authorize endpoint to get a new authorization + // code. During this redirect, depending on the type of app, the user might need to enter their credentials again + // or consent again to permissions. + OfflineAccessScope ScopeType = "offline_access" +) + +// Calendar Permissions +// +// Calendars.Read.Shared and Calendars.ReadWrite.Shared are only valid for work or school accounts. All other +// permissions are valid for both Microsoft accounts and work or school accounts. +// +// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference +const ( + // CalendarsReadScope allows the app to read events in user calendars. + CalendarsReadScope ScopeType = "Calendars.Read" + + // CalendarsReadSharedScope allows the app to read events in all calendars that the user can access, including + // delegate and shared calendars. + CalendarsReadSharedScope ScopeType = "Calendars.Read.Shared" + + // CalendarsReadWriteScope allows the app to create, read, update, and delete events in user calendars. + CalendarsReadWriteScope ScopeType = "Calendars.ReadWrite" + + // CalendarsReadWriteSharedScope allows the app to create, read, update and delete events in all calendars the user + // has permissions to access. This includes delegate and shared calendars. + CalendarsReadWriteSharedScope ScopeType = "Calendars.ReadWrite.Shared" +) + +// Contacts Permissions +// +// Only the Contacts.Read and Contacts.ReadWrite delegated permissions are valid for Microsoft accounts. +// +// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference +const ( + // ContactsReadScope allows the app to read contacts that the user has permissions to access, including the user's + // own and shared contacts. + ContactsReadScope ScopeType = "Contacts.Read" + + // ContactsReadSharedScope allows the app to read contacts that the user has permissions to access, including the + // user's own and shared contacts. + ContactsReadSharedScope ScopeType = "Contacts.Read.Shared" + + // ContactsReadWriteScope allows the app to create, read, update, and delete user contacts. + ContactsReadWriteScope ScopeType = "Contacts.ReadWrite" + + // ContactsReadWriteSharedScope allows the app to create, read, update and delete contacts that the user has + // permissions to, including the user's own and shared contacts. + ContactsReadWriteSharedScope ScopeType = "Contacts.ReadWrite.Shared" +) + +// Device Permissions +// +// The Device.Read and Device.Command delegated permissions are valid only for personal Microsoft accounts. +// +// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference +const ( + // DeviceReadScope allows the app to read a user's list of devices on behalf of the signed-in user. + DeviceReadScope ScopeType = "Device.Read" + + // DeviceCommandScope allows the app to launch another app or communicate with another app on a user's device on + // behalf of the signed-in user. + DeviceCommandScope ScopeType = "Device.Command" +) + +// Directory Permissions +// +// Directory permissions are not supported on Microsoft accounts. +// +// Directory permissions provide the highest level of privilege for accessing directory resources such as User, Group, +// and Device in an organization. +// +// They also exclusively control access to other directory resources like: organizational contacts, schema extension +// APIs, Privileged Identity Management (PIM) APIs, as well as many of the resources and APIs listed under the Azure +// Active Directory node in the v1.0 and beta API reference documentation. These include administrative units, directory +// roles, directory settings, policy, and many more. +// +// The Directory.ReadWrite.All permission grants the following privileges: +// - Full read of all directory resources (both declared properties and navigation properties) +// - Create and update users +// - Disable and enable users (but not company administrator) +// - Set user alternative security id (but not administrators) +// - Create and update groups +// - Manage group memberships +// - Update group owner +// - Manage license assignments +// - Define schema extensions on applications +// - Note: No rights to reset user passwords +// - Note: No rights to delete resources (including users or groups) +// - Note: Specifically excludes create or update for resources not listed above. This includes: application, +// oAauth2Permissiongrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on. +// +// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference +const ( + // DirectoryReadAllScope allows the app to read data in your organization's directory, such as users, groups and + // apps. + // + // Note: Users may consent to applications that require this permission if the application is registered in their + // own organization’s tenant. + // + // requires admin consent + DirectoryReadAllScope ScopeType = "Directory.Read.All" + + // DirectoryReadWriteAllScope allows the app to read and write data in your organization's directory, such as users, + // and groups. It does not allow the app to delete users or groups, or reset user passwords. + // + // requires admin consent + DirectoryReadWriteAllScope ScopeType = "Directory.ReadWrite.All" + + // DirectoryAccessAsUserAllScope allows the app to have the same access to information in the directory as the + // signed-in user. + // + // requires admin consent + DirectoryAccessAsUserAllScope ScopeType = "Directory.AccessAsUser.All" +) + +// Education Administration Permissions +const ( + // EduAdministrationReadScope allows the app to read education app settings on behalf of the user. + // + // requires admin consent + EduAdministrationReadScope ScopeType = "EduAdministration.Read" + + // EduAdministrationReadWriteScope allows the app to manage education app settings on behalf of the user. + // + // requires admin consent + EduAdministrationReadWriteScope ScopeType = "EduAdministration.ReadWrite" + + // EduAssignmentsReadBasicScope allows the app to read assignments without grades on behalf of the user + // + // requires admin consent + EduAssignmentsReadBasicScope ScopeType = "EduAssignments.ReadBasic" + + // EduAssignmentsReadWriteBasicScope allows the app to read and write assignments without grades on behalf of the + // user + EduAssignmentsReadWriteBasicScope ScopeType = "EduAssignments.ReadWriteBasic" + + // EduAssignmentsReadScope allows the app to read assignments and their grades on behalf of the user + // + // requires admin consent + EduAssignmentsReadScope ScopeType = "EduAssignments.Read" + + // EduAssignmentsReadWriteScope allows the app to read and write assignments and their grades on behalf of the user + // + // requires admin consent + EduAssignmentsReadWriteScope ScopeType = "EduAssignments.ReadWrite" + + // EduRosteringReadBasicScope allows the app to read a limited subset of the data from the structure of schools and + // classes in an organization's roster and education-specific information about users to be read on behalf of the + // user. + // + // requires admin consent + EduRosteringReadBasicScope ScopeType = "EduRostering.ReadBasic" +) + +// Files Permissions +// +// The Files.Read, Files.ReadWrite, Files.Read.All, and Files.ReadWrite.All delegated permissions are valid on both +// personal Microsoft accounts and work or school accounts. Note that for personal accounts, Files.Read and +// Files.ReadWrite also grant access to files shared with the signed-in user. +// +// The Files.Read.Selected and Files.ReadWrite.Selected delegated permissions are only valid on work or school accounts +// and are only exposed for working with Office 365 file handlers (v1.0) +// https://msdn.microsoft.com/office/office365/howto/using-cross-suite-apps. They should not be used for directly +// calling Microsoft Graph APIs. +// +// The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the +// App Root special folder https://dev.onedrive.com/misc/appfolder.htm with the OneDrive Get special folder +// https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/drive_get_specialfolder Microsoft Graph API. +const ( + // FilesReadScope allows the app to read the signed-in user's files. + FilesReadScope ScopeType = "Files.Read" + + // FilesReadAllScope allows the app to read all files the signed-in user can access. + FilesReadAllScope ScopeType = "Files.Read.All" + + // FilesReadWrite allows the app to read, create, update, and delete the signed-in user's files. + FilesReadWriteScope ScopeType = "Files.ReadWrite" + + // FilesReadWriteAllScope allows the app to read, create, update, and delete all files the signed-in user can access. + FilesReadWriteAllScope ScopeType = "Files.ReadWrite.All" + + // FilesReadWriteAppFolderScope allows the app to read, create, update, and delete files in the application's folder. + FilesReadWriteAppFolderScope ScopeType = "Files.ReadWrite.AppFolder" + + // FilesReadSelectedScope allows the app to read files that the user selects. The app has access for several hours + // after the user selects a file. + // + // preview + FilesReadSelectedScope ScopeType = "Files.Read.Selected" + + // FilesReadWriteSelectedScope allows the app to read and write files that the user selects. The app has access for + // several hours after the user selects a file + // + // preview + FilesReadWriteSelectedScope ScopeType = "Files.ReadWrite.Selected" +) + +// Group Permissions +// +// Group functionality is not supported on personal Microsoft accounts. +// +// For Office 365 groups, Group permissions grant the app access to the contents of the group; for example, +// conversations, files, notes, and so on. +// +// For application permissions, there are some limitations for the APIs that are supported. For more information, see +// known issues. +// +// In some cases, an app may need Directory permissions to read some group properties like member and memberOf. For +// example, if a group has a one or more servicePrincipals as members, the app will need effective permissions to read +// service principals through being granted one of the Directory.* permissions, otherwise Microsoft Graph will return an +// error. (In the case of delegated permissions, the signed-in user will also need sufficient privileges in the +// organization to read service principals.) The same guidance applies for the memberOf property, which can return +// administrativeUnits. +// +// Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions +// are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are +// not supported. +const ( + // GroupReadAllScope allows the app to list groups, and to read their properties and all group memberships on behalf + // of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for + // all groups the signed-in user can access. + GroupReadAllScope ScopeType = "Group.Read.All" + + // GroupReadWriteAllScope allows the app to create groups and read all group properties and memberships on behalf of + // the signed-in user. Additionally allows group owners to manage their groups and allows group members to update + // group content. + GroupReadWriteAllScope ScopeType = "Group.ReadWrite.All" +) + +// Identity Risk Event Permissions +// +// IdentityRiskEvent.Read.All is valid only for work or school accounts. For an app with delegated permissions to read +// identity risk information, the signed-in user must be a member of one of the following administrator roles: Global +// Administrator, Security Administrator, or Security Reader. For more information about administrator roles, see +// Assigning administrator roles in Azure Active Directory. +const ( + // IdentityRiskEventReadAllScope allows the app to read identity risk event information for all users in your + // organization on behalf of the signed-in user. + // + // requires admin consent + IdentityRiskEventReadAllScope ScopeType = "IdentityRiskEvent.Read.All" +) + +// Identity Provider Permissions +// +// IdentityProvider.Read.All and IdentityProvider.ReadWrite.All are valid only for work or school accounts. For an app +// to read or write identity providers with delegated permissions, the signed-in user must be assigned the Global +// Administrator role. For more information about administrator roles, see Assigning administrator roles in Azure Active +// Directory. +const ( + // IdentityProviderReadAllScope allows the app to read identity providers configured in your Azure AD or Azure AD + // B2C tenant on behalf of the signed-in user. + // + // requires admin consent + IdentityProviderReadAllScope ScopeType = "IdentityProvider.Read.All" + + // IdentityProviderReadWriteAllScope allows the app to read or write identity providers configured in your Azure AD + // or Azure AD B2C tenant on behalf of the signed-in user. + // + // requires admin consent + IdentityProviderReadWriteAllScope ScopeType = "IdentityProvider.ReadWrite.All" +) + +// Device Management Permissions +// +// Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is +// correctly licensed by the customer. +// +// These permissions are only valid for work or school accounts. +const ( + // DeviceManagementAppsReadAllScope allows the app to read the properties, group assignments and status of apps, app + // configurations and app protection policies managed by Microsoft Intune. + // + // requires admin consent + DeviceManagementAppsReadAllScope ScopeType = "DeviceManagementApps.Read.All" + + // DeviceManagementAppsReadWriteAllScope allows the app to read and write the properties, group assignments and + // status of apps, app configurations and app protection policies managed by Microsoft Intune. + // + // requires admin consent + DeviceManagementAppsReadWriteAllScope ScopeType = "DeviceManagementApps.ReadWrite.All" + + // DeviceManagementConfigurationReadAllScope allows the app to read properties of Microsoft Intune-managed device + // configuration and device compliance policies and their assignment to groups. + // + // requires admin consent + DeviceManagementConfigurationReadAllScope ScopeType = "DeviceManagementConfiguration.Read.All" + + // DeviceManagementConfigurationReadWriteAllScope allows the app to read and write properties of Microsoft + // Intune-managed device configuration and device compliance policies and their assignment to groups. + // + // requires admin consent + DeviceManagementConfigurationReadWriteAllScope ScopeType = "DeviceManagementConfiguration.ReadWrite.All" + + // DeviceManagementManagedDevicesPrivilegedOperationsAllScope allows the app to perform remote high impact actions + // such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. + // + // requires admin consent + DeviceManagementManagedDevicesPrivilegedOperationsAllScope ScopeType = "DeviceManagementManagedDevices.PrivilegedOperations.All" + + // DeviceManagementManagedDevicesReadAllScope allows the app to read the properties of devices managed by Microsoft + // Intune. + // + // requires admin consent + DeviceManagementManagedDevicesReadAllScope ScopeType = "DeviceManagementManagedDevices.Read.All" + + // DeviceManagementManagedDevicesReadWriteAllScope allows the app to read and write the properties of devices + // managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the + // device’s owner. + // + // requires admin consent + DeviceManagementManagedDevicesReadWriteAllScope ScopeType = "DeviceManagementManagedDevices.ReadWrite.All" + + // DeviceManagementRBACReadAllScope allows the app to read the properties relating to the Microsoft Intune + // Role-Based Access Control (RBAC) settings. + // + // requires admin consent + DeviceManagementRBACReadAllScope ScopeType = "DeviceManagementRBAC.Read.All" + + // DeviceManagementRBACReadWriteAllScope allows the app to read and write the properties relating to the Microsoft + // Intune Role-Based Access Control (RBAC) settings. + // + // requires admin consent + DeviceManagementRBACReadWriteAllScope ScopeType = "DeviceManagementRBAC.ReadWrite.All" + + // DeviceManagementServiceConfigReadAllScope allows the app to read Intune service properties including device + // enrollment and third party service connection configuration. + // + // requires admin consent + DeviceManagementServiceConfigReadAllScope ScopeType = "DeviceManagementServiceConfig.Read.All" + + // DeviceManagementServiceConfigReadWriteAllScope allows the app to read and write Microsoft Intune service + // properties including device enrollment and third party service connection configuration. + // + // requires admin consent + DeviceManagementServiceConfigReadWriteAllScope ScopeType = "DeviceManagementServiceConfig.ReadWrite.All" +) + +// Mail Permissions +// +// Mail.Read.Shared, Mail.ReadWrite.Shared, and Mail.Send.Shared are only valid for work or school accounts. All other +// permissions are valid for both Microsoft accounts and work or school accounts. +// +// With the Mail.Send or Mail.Send.Shared permission, an app can send mail and save a copy to the user's Sent Items +// folder, even if the app does not use a corresponding Mail.ReadWrite or Mail.ReadWrite.Shared permission. +const ( + // MailReadScope allows the app to read email in user mailboxes. + MailReadScope ScopeType = "Mail.Read" + + // MailReadWriteScope allows the app to create, read, update, and delete email in user mailboxes. Does not include + // permission to send mail. + MailReadWriteScope ScopeType = "Mail.ReadWrite" + + // MailReadSharedScope allows the app to read mail that the user can access, including the user's own and shared + // mail. + MailReadSharedScope ScopeType = "Mail.Read.Shared" + + // MailReadWriteSharedScope allows the app to create, read, update, and delete mail that the user has permission to + // access, including the user's own and shared mail. Does not include permission to send mail. + MailReadWriteSharedScope ScopeType = "Mail.ReadWrite.Shared" + + // MailSend allowsScope the app to send mail as users in the organization. + MailSendScope ScopeType = "Mail.Send" + + // MailSendSharedScope allows the app to send mail as the signed-in user, including sending on-behalf of others. + MailSendSharedScope ScopeType = "Mail.Send.Shared" + + // MailboxSettingsReadScope allows the app to the read user's mailbox settings. Does not include permission to send + // mail. + MailboxSettingsReadScope ScopeType = "Mailbox.Settings.Read" + + // MailboxSettingsReadWriteScope allows the app to create, read, update, and delete user's mailbox settings. Does + // not include permission to directly send mail, but allows the app to create rules that can forward or redirect + // messages. + MailboxSettingsReadWriteScope ScopeType = "MailboxSettings.ReadWrite" +) + +// Member Permissions +// +// Member.Read.Hidden is valid only on work or school accounts. +// +// Membership in some Office 365 groups can be hidden. This means that only the members of the group can view its +// members. This feature can be used to help comply with regulations that require an organization to hide group +// membership from outsiders (for example, an Office 365 group that represents students enrolled in a class). +const ( + // MemberReadHiddenScope allows the app to read the memberships of hidden groups and administrative units on behalf + // of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. + // + // requires admin consent + MemberReadHiddenScope ScopeType = "Member.Read.Hidden" +) + +// Notes Permissions +// +// Notes.Read.All and Notes.ReadWrite.All are only valid for work or school accounts. All other permissions are valid +// for both Microsoft accounts and work or school accounts. +// +// With the Notes.Create permission, an app can view the OneNote notebook hierarchy of the signed-in user and create +// OneNote content (notebooks, section groups, sections, pages, etc.). +// +// Notes.ReadWrite and Notes.ReadWrite.All also allow the app to modify the permissions on the OneNote content that can +// be accessed by the signed-in user. +// +// For work or school accounts, Notes.Read.All and Notes.ReadWrite.All allow the app to access other users' OneNote +// content that the signed-in user has permission to within the organization. +const ( + // NotesReadScope allows the app to read OneNote notebooks on behalf of the signed-in user. + NotesReadScope ScopeType = "Notes.Read" + + // NotesCreateScope allows the app to read the titles of OneNote notebooks and sections and to create new pages, + // notebooks, and sections on behalf of the signed-in user. + NotesCreateScope ScopeType = "Notes.Create" + + // NotesReadWriteScope allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user. + NotesReadWriteScope ScopeType = "Notes.ReadWrite" + + // NotesReadAllScope allows the app to read OneNote notebooks that the signed-in user has access to in the + // organization. + NotesReadAllScope ScopeType = "Notes.Read.All" + + // NotesReadWriteAllScope allows the app to read, share, and modify OneNote notebooks that the signed-in user has + // access to in the organization. + NotesReadWriteAllScope ScopeType = "Notes.ReadWrite.All" +) + +// People Permissions +// +// The People.Read.All permission is only valid for work and school accounts. +const ( + // PeopleReadScope allows the app to read a scored list of people relevant to the signed-in user. The list can + // include local contacts, contacts from social networking or your organization's directory, and people from recent + // communications (such as email and Skype). + PeopleReadScope ScopeType = "People.Read" + + // PeopleReadAllScope allows the app to read a scored list of people relevant to the signed-in user or other users + // in the signed-in user's organization. The list can include local contacts, contacts from social networking or + // your organization's directory, and people from recent communications (such as email and Skype). Also allows the + // app to search the entire directory of the signed-in user's organization. + // + // requires admin consent + PeopleReadAllScope ScopeType = "People.Read.All" +) + +// Report Permissions +// +// Reports permissions are only valid for work or school accounts. +const ( + // ReportsReadAllScope allows an app to read all service usage reports without a signed-in user. Services that + // provide usage reports include Office 365 and Azure Active Directory. + // + // requires admin consent + ReportsReadAllScope ScopeType = "Reports.Read.All" +) + +// Security Permissions +// +// Security permissions are valid only on work or school accounts. +const ( + // SecurityEventsReadAllScope allows the app to read your organization’s security events on behalf of the signed-in + // user. + // requires admin consent + SecurityEventsReadAllScope ScopeType = "SecurityEvents.Read.All" + + // SecurityEventsReadWriteAllScope allows the app to read your organization’s security events on behalf of the + // signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in + // user. + // + // requires admin consent + SecurityEventsReadWriteAllScope ScopeType = "SecurityEvents.ReadWrite.All" +) + +// Sites Permissions +// +// Sites permissions are valid only on work or school accounts. +const ( + // SitesReadAllScope allows the app to read documents and list items in all site collections on behalf of the + // signed-in user. + SitesReadAllScope ScopeType = "Sites.Read.All" + + // SitesReadWriteAllScope allows the app to edit or delete documents and list items in all site collections on + // behalf of the signed-in user. + SitesReadWriteAllScope ScopeType = "Sites.ReadWrite.All" + + // SitesManageAllScope allows the app to manage and create lists, documents, and list items in all site collections + // on behalf of the signed-in user. + SitesManageAllScope ScopeType = "Sites.Manage.All" + + // SitesFullControlAllScope allows the app to have full control to SharePoint sites in all site collections on + // behalf of the signed-in user. + // + // requires admin consent + SitesFullControlAllScope ScopeType = "Sites.FullControl.All" +) + +// Tasks Permissions +// +// Tasks permissions are used to control access for Outlook tasks. Access for Microsoft Planner tasks is controlled by +// Group permissions. +// +// Shared permissions are currently only supported for work or school accounts. Even with Shared permissions, reads and +// writes may fail if the user who owns the shared content has not granted the accessing user permissions to modify +// content within the folder. +const ( + // TasksReadScope allows the app to read user tasks. + TasksReadScope ScopeType = "Tasks.Read" + + // TasksReadSharedScope allows the app to read tasks a user has permissions to access, including their own and + // shared tasks. + TasksReadSharedScope ScopeType = "Tasks.Read.Shared" + + // TasksReadWriteScope allows the app to create, read, update and delete tasks and containers (and tasks in them) + // that are assigned to or shared with the signed-in user. + TasksReadWriteScope ScopeType = "Tasks.ReadWrite" + + // TasksReadWriteSharedScope allows the app to create, read, update, and delete tasks a user has permissions to, + // including their own and shared tasks. + TasksReadWriteSharedScope ScopeType = "Tasks.ReadWrite.Shared" +) + +// Terms of Use Permissions +// +// All the permissions above are valid only for work or school accounts. +// +// For an app to read or write all agreements or agreement acceptances with delegated permissions, the signed-in user +// must be assigned the Global Administrator, Conditional Access Administrator or Security Administrator role. For more +// information about administrator roles, see Assigning administrator roles in Azure Active Directory +// https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles. +const ( + // AgreementReadAllScope allows the app to read terms of use agreements on behalf of the signed-in user. + // + // requires admin consent + AgreementReadAllScope ScopeType = "Agreement.Read.All" + + // AgreementReadWriteAllScope allows the app to read and write terms of use agreements on behalf of the signed-in + // user. + // + // requires admin consent + AgreementReadWriteAllScope ScopeType = "Agreement.ReadWrite.All" + + // AgreementAcceptanceReadScope allows the app to read terms of use acceptance statuses on behalf of the signed-in + // user. + // + // requires admin consent + AgreementAcceptanceReadScope ScopeType = "AgreementAcceptance.Read" + + // AgreementAcceptanceReadAllScope allows the app to read terms of use acceptance statuses on behalf of the + // signed-in user. + // + // requires admin consent + AgreementAcceptanceReadAllScope ScopeType = "AgreementAcceptance.Read.All" +) + +// User Permissions +// +// The only permissions valid for Microsoft accounts are User.Read and User.ReadWrite. For work or school accounts, all +// permissions are valid. +// +// With the User.Read permission, an app can also read the basic company information of the signed-in user for a work or +// school account through the organization resource. The following properties are available: id, displayName, and +// verifiedDomains. +// +// For work or school accounts, the full profile includes all of the declared properties of the User resource. On reads, +// only a limited number of properties are returned by default. To read properties that are not in the default set, use +// $select. The default properties are: +// displayName +// givenName +// jobTitle +// mail +// mobilePhone +// officeLocation +// preferredLanguage +// surname +// userPrincipalName +// +// User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties +// for work or school accounts: +// aboutMe +// birthday +// hireDate +// interests +// mobilePhone +// mySite +// pastProjects +// photo +// preferredName +// responsibilities +// schools +// skills +// +// With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or +// school accounts except for password. +// +// To read or write direct reports (directReports) or the manager (manager) of a work or school account, the app must +// have either User.Read.All (read only) or User.ReadWrite.All. +// +// The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. +// This is because the full profile might contain sensitive directory information. The basic profile includes only the +// following properties: +// displayName +// givenName +// mail +// photo +// surname +// userPrincipalName +// +// To read the group memberships of a user (memberOf), the app must have either Group.Read.All or Group.ReadWrite.All. +// However, if the user also has membership in a directoryRole or an administrativeUnit, the app will need effective +// permissions to read those resources too, or Microsoft Graph will return an error. This means the app will also need +// Directory permissions, and, for delegated permissions, the signed-in user will also need sufficient privileges in the +// organization to access directory roles and administrative units. +const ( + // UserReadScope allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It + // also allows the app to read basic company information of signed-in users. + UserReadScope ScopeType = "User.Read" + + // UserReadWriteScope allows the app to read the signed-in user's full profile. It also allows the app to update the + // signed-in user's profile information on their behalf. + UserReadWriteScope ScopeType = "User.ReadWrite" + + // UserReadBasicAllScope allows the app to read a basic set of profile properties of other users in your + // organization on behalf of the signed-in user. This includes display name, first and last name, email address, + // open extensions and photo. Also allows the app to read the full profile of the signed-in user. + UserReadBasicAllScope ScopeType = "User.ReadBasic.All" + + // UserReadAllScope allows the app to read the full set of profile properties, reports, and managers of other users + // in your organization, on behalf of the signed-in user. + // + // requires admin consent + UserReadAllScope ScopeType = "User.Read.All" + + // UserReadWriteAllScope allows the app to read and write the full set of profile properties, reports, and managers + // of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete + // users as well as reset user passwords on behalf of the signed-in user. + // + // requires admin consent + UserReadWriteAllScope ScopeType = "User.ReadWrite.All" + + // UserInviteAllScope allows the app to invite guest users to your organization, on behalf of the signed-in user. + // + // requires admin consent + UserInviteAllScope ScopeType = "User.Invite.All" + + // UserExportAllScope allows the app to export an organizational user's data, when performed by a Company + // Administrator. + // + // requires admin consent + UserExportAllScope ScopeType = "User.Export.All" +) + +// User Activity Permissions +// +// UserActivity.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts. +// +// The CreatedByApp constraint associated with this permission indicates the service will apply implicit filtering to +// results based on the identity of the calling app, either the MSA app id or a set of app ids configured for a +// cross-platform application identity. +const ( + // UserActivityReadWriteCreatedByAppScope allows the app to read and report the signed-in user's activity in the + // app. + UserActivityReadWriteCreatedByAppScope ScopeType = "UserActivity.ReadWrite.CreatedByApp" +) diff --git a/vendor/github.com/markbates/goth/providers/azureadv2/session.go b/vendor/github.com/markbates/goth/providers/azureadv2/session.go new file mode 100644 index 0000000000..f2f0cd07cb --- /dev/null +++ b/vendor/github.com/markbates/goth/providers/azureadv2/session.go @@ -0,0 +1,63 @@ +package azureadv2 + +import ( + "encoding/json" + "errors" + "strings" + "time" + + "github.com/markbates/goth" +) + +// Session is the implementation of `goth.Session` +type Session struct { + AuthURL string `json:"au"` + AccessToken string `json:"at"` + RefreshToken string `json:"rt"` + ExpiresAt time.Time `json:"exp"` +} + +// GetAuthURL will return the URL set by calling the `BeginAuth` func +func (s Session) GetAuthURL() (string, error) { + if s.AuthURL == "" { + return "", errors.New(goth.NoAuthUrlErrorMessage) + } + + return s.AuthURL, nil +} + +// Authorize the session with AzureAD and return the access token to be stored for future use. +func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string, error) { + p := provider.(*Provider) + token, err := p.config.Exchange(goth.ContextForClient(p.Client()), params.Get("code")) + if err != nil { + return "", err + } + + if !token.Valid() { + return "", errors.New("invalid token received from provider") + } + + s.AccessToken = token.AccessToken + s.RefreshToken = token.RefreshToken + s.ExpiresAt = token.Expiry + + return token.AccessToken, err +} + +// Marshal the session into a string +func (s Session) Marshal() string { + b, _ := json.Marshal(s) + return string(b) +} + +func (s Session) String() string { + return s.Marshal() +} + +// UnmarshalSession wil unmarshal a JSON string into a session. +func (p *Provider) UnmarshalSession(data string) (goth.Session, error) { + session := &Session{} + err := json.NewDecoder(strings.NewReader(data)).Decode(session) + return session, err +} diff --git a/vendor/github.com/markbates/goth/providers/microsoftonline/microsoftonline.go b/vendor/github.com/markbates/goth/providers/microsoftonline/microsoftonline.go new file mode 100644 index 0000000000..0ee1bece66 --- /dev/null +++ b/vendor/github.com/markbates/goth/providers/microsoftonline/microsoftonline.go @@ -0,0 +1,190 @@ +// Package microsoftonline implements the OAuth2 protocol for authenticating users through microsoftonline. +// This package can be used as a reference implementation of an OAuth2 provider for Goth. +// To use this package, your application need to be registered in [Application Registration Portal](https://apps.dev.microsoft.com/) +package microsoftonline + +import ( + "bytes" + "encoding/json" + "fmt" + "io" + "net/http" + + "github.com/markbates/going/defaults" + "github.com/markbates/goth" + "golang.org/x/oauth2" +) + +const ( + authURL string = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" + tokenURL string = "https://login.microsoftonline.com/common/oauth2/v2.0/token" + endpointProfile string = "https://graph.microsoft.com/v1.0/me" +) + +var defaultScopes = []string{"openid", "offline_access", "user.read"} + +// New creates a new microsoftonline provider, and sets up important connection details. +// You should always call `microsoftonline.New` to get a new Provider. Never try to create +// one manually. +func New(clientKey, secret, callbackURL string, scopes ...string) *Provider { + p := &Provider{ + ClientKey: clientKey, + Secret: secret, + CallbackURL: callbackURL, + providerName: "microsoftonline", + } + + p.config = newConfig(p, scopes) + return p +} + +// Provider is the implementation of `goth.Provider` for accessing microsoftonline. +type Provider struct { + ClientKey string + Secret string + CallbackURL string + HTTPClient *http.Client + config *oauth2.Config + providerName string + tenant string +} + +// Name is the name used to retrieve this provider later. +func (p *Provider) Name() string { + return p.providerName +} + +// SetName is to update the name of the provider (needed in case of multiple providers of 1 type) +func (p *Provider) SetName(name string) { + p.providerName = name +} + +// Client is HTTP client to be used in all fetch operations. +func (p *Provider) Client() *http.Client { + return goth.HTTPClientWithFallBack(p.HTTPClient) +} + +// Debug is a no-op for the facebook package. +func (p *Provider) Debug(debug bool) {} + +// BeginAuth asks MicrosoftOnline for an authentication end-point. +func (p *Provider) BeginAuth(state string) (goth.Session, error) { + authURL := p.config.AuthCodeURL(state) + return &Session{ + AuthURL: authURL, + }, nil +} + +// FetchUser will go to MicrosoftOnline and access basic information about the user. +func (p *Provider) FetchUser(session goth.Session) (goth.User, error) { + msSession := session.(*Session) + user := goth.User{ + AccessToken: msSession.AccessToken, + Provider: p.Name(), + ExpiresAt: msSession.ExpiresAt, + } + + if user.AccessToken == "" { + return user, fmt.Errorf("%s cannot get user information without accessToken", p.providerName) + } + + req, err := http.NewRequest("GET", endpointProfile, nil) + if err != nil { + return user, err + } + + req.Header.Set(authorizationHeader(msSession)) + + response, err := p.Client().Do(req) + if err != nil { + return user, err + } + defer response.Body.Close() + + if response.StatusCode != http.StatusOK { + return user, fmt.Errorf("%s responded with a %d trying to fetch user information", p.providerName, response.StatusCode) + } + + user.AccessToken = msSession.AccessToken + + err = userFromReader(response.Body, &user) + return user, err +} + +// RefreshTokenAvailable refresh token is provided by auth provider or not +// not available for microsoft online as session size hit the limit of max cookie size +func (p *Provider) RefreshTokenAvailable() bool { + return false +} + +//RefreshToken get new access token based on the refresh token +func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) { + if refreshToken == "" { + return nil, fmt.Errorf("No refresh token provided") + } + + token := &oauth2.Token{RefreshToken: refreshToken} + ts := p.config.TokenSource(goth.ContextForClient(p.Client()), token) + newToken, err := ts.Token() + if err != nil { + return nil, err + } + return newToken, err +} + +func newConfig(provider *Provider, scopes []string) *oauth2.Config { + c := &oauth2.Config{ + ClientID: provider.ClientKey, + ClientSecret: provider.Secret, + RedirectURL: provider.CallbackURL, + Endpoint: oauth2.Endpoint{ + AuthURL: authURL, + TokenURL: tokenURL, + }, + Scopes: []string{}, + } + + c.Scopes = append(c.Scopes, scopes...) + if len(scopes) == 0 { + c.Scopes = append(c.Scopes, defaultScopes...) + } + + return c +} + +func userFromReader(r io.Reader, user *goth.User) error { + buf := &bytes.Buffer{} + tee := io.TeeReader(r, buf) + + u := struct { + ID string `json:"id"` + Name string `json:"displayName"` + Email string `json:"mail"` + FirstName string `json:"givenName"` + LastName string `json:"surname"` + UserPrincipalName string `json:"userPrincipalName"` + }{} + + if err := json.NewDecoder(tee).Decode(&u); err != nil { + return err + } + + raw := map[string]interface{}{} + if err := json.NewDecoder(buf).Decode(&raw); err != nil { + return err + } + + user.UserID = u.ID + user.Email = defaults.String(u.Email, u.UserPrincipalName) + user.Name = u.Name + user.NickName = u.Name + user.FirstName = u.FirstName + user.LastName = u.LastName + user.RawData = raw + + return nil +} + +func authorizationHeader(session *Session) (string, string) { + return "Authorization", fmt.Sprintf("Bearer %s", session.AccessToken) +} diff --git a/vendor/github.com/markbates/goth/providers/microsoftonline/session.go b/vendor/github.com/markbates/goth/providers/microsoftonline/session.go new file mode 100644 index 0000000000..0747ab5233 --- /dev/null +++ b/vendor/github.com/markbates/goth/providers/microsoftonline/session.go @@ -0,0 +1,62 @@ +package microsoftonline + +import ( + "encoding/json" + "errors" + "strings" + "time" + + "github.com/markbates/goth" +) + +// Session is the implementation of `goth.Session` for accessing microsoftonline. +// Refresh token not available for microsoft online: session size hit the limit of max cookie size +type Session struct { + AuthURL string + AccessToken string + ExpiresAt time.Time +} + +// GetAuthURL will return the URL set by calling the `BeginAuth` function on the Facebook provider. +func (s Session) GetAuthURL() (string, error) { + if s.AuthURL == "" { + return "", errors.New(goth.NoAuthUrlErrorMessage) + } + + return s.AuthURL, nil +} + +// Authorize the session with Facebook and return the access token to be stored for future use. +func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string, error) { + p := provider.(*Provider) + token, err := p.config.Exchange(goth.ContextForClient(p.Client()), params.Get("code")) + if err != nil { + return "", err + } + + if !token.Valid() { + return "", errors.New("Invalid token received from provider") + } + + s.AccessToken = token.AccessToken + s.ExpiresAt = token.Expiry + + return token.AccessToken, err +} + +// Marshal the session into a string +func (s Session) Marshal() string { + b, _ := json.Marshal(s) + return string(b) +} + +func (s Session) String() string { + return s.Marshal() +} + +// UnmarshalSession wil unmarshal a JSON string into a session. +func (p *Provider) UnmarshalSession(data string) (goth.Session, error) { + session := &Session{} + err := json.NewDecoder(strings.NewReader(data)).Decode(session) + return session, err +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 2a616ad9cd..a9eabbbba4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -570,10 +570,14 @@ github.com/mailru/easyjson github.com/mailru/easyjson/buffer github.com/mailru/easyjson/jlexer github.com/mailru/easyjson/jwriter +# github.com/markbates/going v1.0.0 +github.com/markbates/going/defaults # github.com/markbates/goth v1.68.0 ## explicit github.com/markbates/goth github.com/markbates/goth/gothic +github.com/markbates/goth/providers/azuread +github.com/markbates/goth/providers/azureadv2 github.com/markbates/goth/providers/bitbucket github.com/markbates/goth/providers/discord github.com/markbates/goth/providers/dropbox @@ -583,6 +587,7 @@ github.com/markbates/goth/providers/github github.com/markbates/goth/providers/gitlab github.com/markbates/goth/providers/google github.com/markbates/goth/providers/mastodon +github.com/markbates/goth/providers/microsoftonline github.com/markbates/goth/providers/nextcloud github.com/markbates/goth/providers/openidConnect github.com/markbates/goth/providers/twitter |