mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14435 Commits
17 Branches
Tree: 4011821c94
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4011821c94'
${ noResults }
gitea/services/auth/oauth2.go

oauth2.go 4.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. package auth

  6. 

  7. import (

  8. 	"net/http"

  9. 	"strings"

  10. 	"time"

  11. 

  12. 	actions_model "code.gitea.io/gitea/models/actions"

  13. 	auth_model "code.gitea.io/gitea/models/auth"

  14. 	"code.gitea.io/gitea/models/db"

  15. 	user_model "code.gitea.io/gitea/models/user"

  16. 	"code.gitea.io/gitea/modules/log"

  17. 	"code.gitea.io/gitea/modules/timeutil"

  18. 	"code.gitea.io/gitea/modules/web/middleware"

  19. 	"code.gitea.io/gitea/services/auth/source/oauth2"

  20. )

  21. 

  22. // Ensure the struct implements the interface.

  23. var (

  24. 	_ Method = &OAuth2{}

  25. 	_ Named  = &OAuth2{}

  26. )

  27. 

  28. // CheckOAuthAccessToken returns uid of user from oauth token

  29. func CheckOAuthAccessToken(accessToken string) int64 {

  30. 	// JWT tokens require a "."

  31. 	if !strings.Contains(accessToken, ".") {

  32. 		return 0

  33. 	}

  34. 	token, err := oauth2.ParseToken(accessToken, oauth2.DefaultSigningKey)

  35. 	if err != nil {

  36. 		log.Trace("oauth2.ParseToken: %v", err)

  37. 		return 0

  38. 	}

  39. 	var grant *auth_model.OAuth2Grant

  40. 	if grant, err = auth_model.GetOAuth2GrantByID(db.DefaultContext, token.GrantID); err != nil || grant == nil {

  41. 		return 0

  42. 	}

  43. 	if token.Type != oauth2.TypeAccessToken {

  44. 		return 0

  45. 	}

  46. 	if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {

  47. 		return 0

  48. 	}

  49. 	return grant.UserID

  50. }

  51. 

  52. // OAuth2 implements the Auth interface and authenticates requests

  53. // (API requests only) by looking for an OAuth token in query parameters or the

  54. // "Authorization" header.

  55. type OAuth2 struct{}

  56. 

  57. // Name represents the name of auth method

  58. func (o *OAuth2) Name() string {

  59. 	return "oauth2"

  60. }

  61. 

  62. // userIDFromToken returns the user id corresponding to the OAuth token.

  63. // It will set 'IsApiToken' to true if the token is an API token and

  64. // set 'ApiTokenScope' to the scope of the access token

  65. func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {

  66. 	_ = req.ParseForm()

  67. 

  68. 	// Check access token.

  69. 	tokenSHA := req.Form.Get("token")

  70. 	if len(tokenSHA) == 0 {

  71. 		tokenSHA = req.Form.Get("access_token")

  72. 	}

  73. 	if len(tokenSHA) == 0 {

  74. 		// Well, check with header again.

  75. 		auHead := req.Header.Get("Authorization")

  76. 		if len(auHead) > 0 {

  77. 			auths := strings.Fields(auHead)

  78. 			if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {

  79. 				tokenSHA = auths[1]

  80. 			}

  81. 		}

  82. 	}

  83. 	if len(tokenSHA) == 0 {

  84. 		return 0

  85. 	}

  86. 

  87. 	// Let's see if token is valid.

  88. 	if strings.Contains(tokenSHA, ".") {

  89. 		uid := CheckOAuthAccessToken(tokenSHA)

  90. 		if uid != 0 {

  91. 			store.GetData()["IsApiToken"] = true

  92. 			store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScopeAll // fallback to all

  93. 		}

  94. 		return uid

  95. 	}

  96. 	t, err := auth_model.GetAccessTokenBySHA(tokenSHA)

  97. 	if err != nil {

  98. 		if auth_model.IsErrAccessTokenNotExist(err) {

  99. 			// check task token

  100. 			task, err := actions_model.GetRunningTaskByToken(db.DefaultContext, tokenSHA)

  101. 			if err == nil && task != nil {

  102. 				log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)

  103. 

  104. 				store.GetData()["IsActionsToken"] = true

  105. 				store.GetData()["ActionsTaskID"] = task.ID

  106. 

  107. 				return user_model.ActionsUserID

  108. 			}

  109. 		} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {

  110. 			log.Error("GetAccessTokenBySHA: %v", err)

  111. 		}

  112. 		return 0

  113. 	}

  114. 	t.UpdatedUnix = timeutil.TimeStampNow()

  115. 	if err = auth_model.UpdateAccessToken(t); err != nil {

  116. 		log.Error("UpdateAccessToken: %v", err)

  117. 	}

  118. 	store.GetData()["IsApiToken"] = true

  119. 	store.GetData()["ApiTokenScope"] = t.Scope

  120. 	return t.UID

  121. }

  122. 

  123. // Verify extracts the user ID from the OAuth token in the query parameters

  124. // or the "Authorization" header and returns the corresponding user object for that ID.

  125. // If verification is successful returns an existing user object.

  126. // Returns nil if verification fails.

  127. func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {

  128. 	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) {

  129. 		return nil, nil

  130. 	}

  131. 

  132. 	id := o.userIDFromToken(req, store)

  133. 

  134. 	if id <= 0 && id != -2 { // -2 means actions, so we need to allow it.

  135. 		return nil, nil

  136. 	}

  137. 	log.Trace("OAuth2 Authorization: Found token for user[%d]", id)

  138. 

  139. 	user, err := user_model.GetPossibleUserByID(req.Context(), id)

  140. 	if err != nil {

  141. 		if !user_model.IsErrUserNotExist(err) {

  142. 			log.Error("GetUserByName: %v", err)

  143. 		}

  144. 		return nil, err

  145. 	}

  146. 

  147. 	log.Trace("OAuth2 Authorization: Logged in user %-v", user)

  148. 	return user, nil

  149. }

  150. 

  151. func isAuthenticatedTokenRequest(req *http.Request) bool {

  152. 	switch req.URL.Path {

  153. 	case "/login/oauth/userinfo":

  154. 		fallthrough

  155. 	case "/login/oauth/introspect":

  156. 		return true

  157. 	}

  158. 	return false

  159. }