mirrors
/
gitea
peilaus alkaen https://github.com/go-gitea/gitea.git
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Julkaisut 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17280 Commitit
17 Branchit
Puu: 4ba642d07d
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '4ba642d07d'
${ noResults }
gitea/models/auth/oauth2.go

oauth2.go 20KB
Raaka Blame Historia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package auth

  5. 

  6. import (

  7. 	"context"

  8. 	"crypto/sha256"

  9. 	"encoding/base32"

  10. 	"encoding/base64"

  11. 	"fmt"

  12. 	"net"

  13. 	"net/url"

  14. 	"strings"

  15. 

  16. 	"code.gitea.io/gitea/models/db"

  17. 	"code.gitea.io/gitea/modules/container"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	"code.gitea.io/gitea/modules/timeutil"

  20. 	"code.gitea.io/gitea/modules/util"

  21. 

  22. 	uuid "github.com/google/uuid"

  23. 	"golang.org/x/crypto/bcrypt"

  24. 	"xorm.io/builder"

  25. 	"xorm.io/xorm"

  26. )

  27. 

  28. // OAuth2Application represents an OAuth2 client (RFC 6749)

  29. type OAuth2Application struct {

  30. 	ID           int64 `xorm:"pk autoincr"`

  31. 	UID          int64 `xorm:"INDEX"`

  32. 	Name         string

  33. 	ClientID     string `xorm:"unique"`

  34. 	ClientSecret string

  35. 	// OAuth defines both Confidential and Public client types

  36. 	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1

  37. 	// "Authorization servers MUST record the client type in the client registration details"

  38. 	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4

  39. 	ConfidentialClient bool               `xorm:"NOT NULL DEFAULT TRUE"`

  40. 	RedirectURIs       []string           `xorm:"redirect_uris JSON TEXT"`

  41. 	CreatedUnix        timeutil.TimeStamp `xorm:"INDEX created"`

  42. 	UpdatedUnix        timeutil.TimeStamp `xorm:"INDEX updated"`

  43. }

  44. 

  45. func init() {

  46. 	db.RegisterModel(new(OAuth2Application))

  47. 	db.RegisterModel(new(OAuth2AuthorizationCode))

  48. 	db.RegisterModel(new(OAuth2Grant))

  49. }

  50. 

  51. type BuiltinOAuth2Application struct {

  52. 	ConfigName   string

  53. 	DisplayName  string

  54. 	RedirectURIs []string

  55. }

  56. 

  57. func BuiltinApplications() map[string]*BuiltinOAuth2Application {

  58. 	m := make(map[string]*BuiltinOAuth2Application)

  59. 	m["a4792ccc-144e-407e-86c9-5e7d8d9c3269"] = &BuiltinOAuth2Application{

  60. 		ConfigName:   "git-credential-oauth",

  61. 		DisplayName:  "git-credential-oauth",

  62. 		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},

  63. 	}

  64. 	m["e90ee53c-94e2-48ac-9358-a874fb9e0662"] = &BuiltinOAuth2Application{

  65. 		ConfigName:   "git-credential-manager",

  66. 		DisplayName:  "Git Credential Manager",

  67. 		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},

  68. 	}

  69. 	m["d57cb8c4-630c-4168-8324-ec79935e18d4"] = &BuiltinOAuth2Application{

  70. 		ConfigName:   "tea",

  71. 		DisplayName:  "tea",

  72. 		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},

  73. 	}

  74. 	return m

  75. }

  76. 

  77. func Init(ctx context.Context) error {

  78. 	builtinApps := BuiltinApplications()

  79. 	var builtinAllClientIDs []string

  80. 	for clientID := range builtinApps {

  81. 		builtinAllClientIDs = append(builtinAllClientIDs, clientID)

  82. 	}

  83. 

  84. 	var registeredApps []*OAuth2Application

  85. 	if err := db.GetEngine(ctx).In("client_id", builtinAllClientIDs).Find(&registeredApps); err != nil {

  86. 		return err

  87. 	}

  88. 

  89. 	clientIDsToAdd := container.Set[string]{}

  90. 	for _, configName := range setting.OAuth2.DefaultApplications {

  91. 		found := false

  92. 		for clientID, builtinApp := range builtinApps {

  93. 			if builtinApp.ConfigName == configName {

  94. 				clientIDsToAdd.Add(clientID) // add all user-configured apps to the "add" list

  95. 				found = true

  96. 			}

  97. 		}

  98. 		if !found {

  99. 			return fmt.Errorf("unknown oauth2 application: %q", configName)

  100. 		}

  101. 	}

  102. 	clientIDsToDelete := container.Set[string]{}

  103. 	for _, app := range registeredApps {

  104. 		if !clientIDsToAdd.Contains(app.ClientID) {

  105. 			clientIDsToDelete.Add(app.ClientID) // if a registered app is not in the "add" list, it should be deleted

  106. 		}

  107. 	}

  108. 	for _, app := range registeredApps {

  109. 		clientIDsToAdd.Remove(app.ClientID) // no need to re-add existing (registered) apps, so remove them from the set

  110. 	}

  111. 

  112. 	for _, app := range registeredApps {

  113. 		if clientIDsToDelete.Contains(app.ClientID) {

  114. 			if err := deleteOAuth2Application(ctx, app.ID, 0); err != nil {

  115. 				return err

  116. 			}

  117. 		}

  118. 	}

  119. 	for clientID := range clientIDsToAdd {

  120. 		builtinApp := builtinApps[clientID]

  121. 		if err := db.Insert(ctx, &OAuth2Application{

  122. 			Name:         builtinApp.DisplayName,

  123. 			ClientID:     clientID,

  124. 			RedirectURIs: builtinApp.RedirectURIs,

  125. 		}); err != nil {

  126. 			return err

  127. 		}

  128. 	}

  129. 

  130. 	return nil

  131. }

  132. 

  133. // TableName sets the table name to `oauth2_application`

  134. func (app *OAuth2Application) TableName() string {

  135. 	return "oauth2_application"

  136. }

  137. 

  138. // ContainsRedirectURI checks if redirectURI is allowed for app

  139. func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {

  140. 	contains := func(s string) bool {

  141. 		s = strings.TrimSuffix(strings.ToLower(s), "/")

  142. 		for _, u := range app.RedirectURIs {

  143. 			if strings.TrimSuffix(strings.ToLower(u), "/") == s {

  144. 				return true

  145. 			}

  146. 		}

  147. 		return false

  148. 	}

  149. 	if !app.ConfidentialClient {

  150. 		uri, err := url.Parse(redirectURI)

  151. 		// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

  152. 		if err == nil && uri.Scheme == "http" && uri.Port() != "" {

  153. 			ip := net.ParseIP(uri.Hostname())

  154. 			if ip != nil && ip.IsLoopback() {

  155. 				// strip port

  156. 				uri.Host = uri.Hostname()

  157. 				if contains(uri.String()) {

  158. 					return true

  159. 				}

  160. 			}

  161. 		}

  162. 	}

  163. 	return contains(redirectURI)

  164. }

  165. 

  166. // Base32 characters, but lowercased.

  167. const lowerBase32Chars = "abcdefghijklmnopqrstuvwxyz234567"

  168. 

  169. // base32 encoder that uses lowered characters without padding.

  170. var base32Lower = base32.NewEncoding(lowerBase32Chars).WithPadding(base32.NoPadding)

  171. 

  172. // GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database

  173. func (app *OAuth2Application) GenerateClientSecret(ctx context.Context) (string, error) {

  174. 	rBytes, err := util.CryptoRandomBytes(32)

  175. 	if err != nil {

  176. 		return "", err

  177. 	}

  178. 	// Add a prefix to the base32, this is in order to make it easier

  179. 	// for code scanners to grab sensitive tokens.

  180. 	clientSecret := "gto_" + base32Lower.EncodeToString(rBytes)

  181. 

  182. 	hashedSecret, err := bcrypt.GenerateFromPassword([]byte(clientSecret), bcrypt.DefaultCost)

  183. 	if err != nil {

  184. 		return "", err

  185. 	}

  186. 	app.ClientSecret = string(hashedSecret)

  187. 	if _, err := db.GetEngine(ctx).ID(app.ID).Cols("client_secret").Update(app); err != nil {

  188. 		return "", err

  189. 	}

  190. 	return clientSecret, nil

  191. }

  192. 

  193. // ValidateClientSecret validates the given secret by the hash saved in database

  194. func (app *OAuth2Application) ValidateClientSecret(secret []byte) bool {

  195. 	return bcrypt.CompareHashAndPassword([]byte(app.ClientSecret), secret) == nil

  196. }

  197. 

  198. // GetGrantByUserID returns a OAuth2Grant by its user and application ID

  199. func (app *OAuth2Application) GetGrantByUserID(ctx context.Context, userID int64) (grant *OAuth2Grant, err error) {

  200. 	grant = new(OAuth2Grant)

  201. 	if has, err := db.GetEngine(ctx).Where("user_id = ? AND application_id = ?", userID, app.ID).Get(grant); err != nil {

  202. 		return nil, err

  203. 	} else if !has {

  204. 		return nil, nil

  205. 	}

  206. 	return grant, nil

  207. }

  208. 

  209. // CreateGrant generates a grant for an user

  210. func (app *OAuth2Application) CreateGrant(ctx context.Context, userID int64, scope string) (*OAuth2Grant, error) {

  211. 	grant := &OAuth2Grant{

  212. 		ApplicationID: app.ID,

  213. 		UserID:        userID,

  214. 		Scope:         scope,

  215. 	}

  216. 	err := db.Insert(ctx, grant)

  217. 	if err != nil {

  218. 		return nil, err

  219. 	}

  220. 	return grant, nil

  221. }

  222. 

  223. // GetOAuth2ApplicationByClientID returns the oauth2 application with the given client_id. Returns an error if not found.

  224. func GetOAuth2ApplicationByClientID(ctx context.Context, clientID string) (app *OAuth2Application, err error) {

  225. 	app = new(OAuth2Application)

  226. 	has, err := db.GetEngine(ctx).Where("client_id = ?", clientID).Get(app)

  227. 	if !has {

  228. 		return nil, ErrOAuthClientIDInvalid{ClientID: clientID}

  229. 	}

  230. 	return app, err

  231. }

  232. 

  233. // GetOAuth2ApplicationByID returns the oauth2 application with the given id. Returns an error if not found.

  234. func GetOAuth2ApplicationByID(ctx context.Context, id int64) (app *OAuth2Application, err error) {

  235. 	app = new(OAuth2Application)

  236. 	has, err := db.GetEngine(ctx).ID(id).Get(app)

  237. 	if err != nil {

  238. 		return nil, err

  239. 	}

  240. 	if !has {

  241. 		return nil, ErrOAuthApplicationNotFound{ID: id}

  242. 	}

  243. 	return app, nil

  244. }

  245. 

  246. // CreateOAuth2ApplicationOptions holds options to create an oauth2 application

  247. type CreateOAuth2ApplicationOptions struct {

  248. 	Name               string

  249. 	UserID             int64

  250. 	ConfidentialClient bool

  251. 	RedirectURIs       []string

  252. }

  253. 

  254. // CreateOAuth2Application inserts a new oauth2 application

  255. func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOptions) (*OAuth2Application, error) {

  256. 	clientID := uuid.New().String()

  257. 	app := &OAuth2Application{

  258. 		UID:                opts.UserID,

  259. 		Name:               opts.Name,

  260. 		ClientID:           clientID,

  261. 		RedirectURIs:       opts.RedirectURIs,

  262. 		ConfidentialClient: opts.ConfidentialClient,

  263. 	}

  264. 	if err := db.Insert(ctx, app); err != nil {

  265. 		return nil, err

  266. 	}

  267. 	return app, nil

  268. }

  269. 

  270. // UpdateOAuth2ApplicationOptions holds options to update an oauth2 application

  271. type UpdateOAuth2ApplicationOptions struct {

  272. 	ID                 int64

  273. 	Name               string

  274. 	UserID             int64

  275. 	ConfidentialClient bool

  276. 	RedirectURIs       []string

  277. }

  278. 

  279. // UpdateOAuth2Application updates an oauth2 application

  280. func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOptions) (*OAuth2Application, error) {

  281. 	ctx, committer, err := db.TxContext(ctx)

  282. 	if err != nil {

  283. 		return nil, err

  284. 	}

  285. 	defer committer.Close()

  286. 

  287. 	app, err := GetOAuth2ApplicationByID(ctx, opts.ID)

  288. 	if err != nil {

  289. 		return nil, err

  290. 	}

  291. 	if app.UID != opts.UserID {

  292. 		return nil, fmt.Errorf("UID mismatch")

  293. 	}

  294. 	builtinApps := BuiltinApplications()

  295. 	if _, builtin := builtinApps[app.ClientID]; builtin {

  296. 		return nil, fmt.Errorf("failed to edit OAuth2 application: application is locked: %s", app.ClientID)

  297. 	}

  298. 

  299. 	app.Name = opts.Name

  300. 	app.RedirectURIs = opts.RedirectURIs

  301. 	app.ConfidentialClient = opts.ConfidentialClient

  302. 

  303. 	if err = updateOAuth2Application(ctx, app); err != nil {

  304. 		return nil, err

  305. 	}

  306. 	app.ClientSecret = ""

  307. 

  308. 	return app, committer.Commit()

  309. }

  310. 

  311. func updateOAuth2Application(ctx context.Context, app *OAuth2Application) error {

  312. 	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client").Update(app); err != nil {

  313. 		return err

  314. 	}

  315. 	return nil

  316. }

  317. 

  318. func deleteOAuth2Application(ctx context.Context, id, userid int64) error {

  319. 	sess := db.GetEngine(ctx)

  320. 	// the userid could be 0 if the app is instance-wide

  321. 	if deleted, err := sess.Where(builder.Eq{"id": id, "uid": userid}).Delete(&OAuth2Application{}); err != nil {

  322. 		return err

  323. 	} else if deleted == 0 {

  324. 		return ErrOAuthApplicationNotFound{ID: id}

  325. 	}

  326. 	codes := make([]*OAuth2AuthorizationCode, 0)

  327. 	// delete correlating auth codes

  328. 	if err := sess.Join("INNER", "oauth2_grant",

  329. 		"oauth2_authorization_code.grant_id = oauth2_grant.id AND oauth2_grant.application_id = ?", id).Find(&codes); err != nil {

  330. 		return err

  331. 	}

  332. 	codeIDs := make([]int64, 0, len(codes))

  333. 	for _, grant := range codes {

  334. 		codeIDs = append(codeIDs, grant.ID)

  335. 	}

  336. 

  337. 	if _, err := sess.In("id", codeIDs).Delete(new(OAuth2AuthorizationCode)); err != nil {

  338. 		return err

  339. 	}

  340. 

  341. 	if _, err := sess.Where("application_id = ?", id).Delete(new(OAuth2Grant)); err != nil {

  342. 		return err

  343. 	}

  344. 	return nil

  345. }

  346. 

  347. // DeleteOAuth2Application deletes the application with the given id and the grants and auth codes related to it. It checks if the userid was the creator of the app.

  348. func DeleteOAuth2Application(ctx context.Context, id, userid int64) error {

  349. 	ctx, committer, err := db.TxContext(ctx)

  350. 	if err != nil {

  351. 		return err

  352. 	}

  353. 	defer committer.Close()

  354. 	app, err := GetOAuth2ApplicationByID(ctx, id)

  355. 	if err != nil {

  356. 		return err

  357. 	}

  358. 	builtinApps := BuiltinApplications()

  359. 	if _, builtin := builtinApps[app.ClientID]; builtin {

  360. 		return fmt.Errorf("failed to delete OAuth2 application: application is locked: %s", app.ClientID)

  361. 	}

  362. 	if err := deleteOAuth2Application(ctx, id, userid); err != nil {

  363. 		return err

  364. 	}

  365. 	return committer.Commit()

  366. }

  367. 

  368. //////////////////////////////////////////////////////

  369. 

  370. // OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.

  371. type OAuth2AuthorizationCode struct {

  372. 	ID                  int64        `xorm:"pk autoincr"`

  373. 	Grant               *OAuth2Grant `xorm:"-"`

  374. 	GrantID             int64

  375. 	Code                string `xorm:"INDEX unique"`

  376. 	CodeChallenge       string

  377. 	CodeChallengeMethod string

  378. 	RedirectURI         string

  379. 	ValidUntil          timeutil.TimeStamp `xorm:"index"`

  380. }

  381. 

  382. // TableName sets the table name to `oauth2_authorization_code`

  383. func (code *OAuth2AuthorizationCode) TableName() string {

  384. 	return "oauth2_authorization_code"

  385. }

  386. 

  387. // GenerateRedirectURI generates a redirect URI for a successful authorization request. State will be used if not empty.

  388. func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL, error) {

  389. 	redirect, err := url.Parse(code.RedirectURI)

  390. 	if err != nil {

  391. 		return nil, err

  392. 	}

  393. 	q := redirect.Query()

  394. 	if state != "" {

  395. 		q.Set("state", state)

  396. 	}

  397. 	q.Set("code", code.Code)

  398. 	redirect.RawQuery = q.Encode()

  399. 	return redirect, err

  400. }

  401. 

  402. // Invalidate deletes the auth code from the database to invalidate this code

  403. func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error {

  404. 	_, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)

  405. 	return err

  406. }

  407. 

  408. // ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.

  409. func (code *OAuth2AuthorizationCode) ValidateCodeChallenge(verifier string) bool {

  410. 	switch code.CodeChallengeMethod {

  411. 	case "S256":

  412. 		// base64url(SHA256(verifier)) see https://tools.ietf.org/html/rfc7636#section-4.6

  413. 		h := sha256.Sum256([]byte(verifier))

  414. 		hashedVerifier := base64.RawURLEncoding.EncodeToString(h[:])

  415. 		return hashedVerifier == code.CodeChallenge

  416. 	case "plain":

  417. 		return verifier == code.CodeChallenge

  418. 	case "":

  419. 		return true

  420. 	default:

  421. 		// unsupported method -> return false

  422. 		return false

  423. 	}

  424. }

  425. 

  426. // GetOAuth2AuthorizationByCode returns an authorization by its code

  427. func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth2AuthorizationCode, err error) {

  428. 	auth = new(OAuth2AuthorizationCode)

  429. 	if has, err := db.GetEngine(ctx).Where("code = ?", code).Get(auth); err != nil {

  430. 		return nil, err

  431. 	} else if !has {

  432. 		return nil, nil

  433. 	}

  434. 	auth.Grant = new(OAuth2Grant)

  435. 	if has, err := db.GetEngine(ctx).ID(auth.GrantID).Get(auth.Grant); err != nil {

  436. 		return nil, err

  437. 	} else if !has {

  438. 		return nil, nil

  439. 	}

  440. 	return auth, nil

  441. }

  442. 

  443. //////////////////////////////////////////////////////

  444. 

  445. // OAuth2Grant represents the permission of an user for a specific application to access resources

  446. type OAuth2Grant struct {

  447. 	ID            int64              `xorm:"pk autoincr"`

  448. 	UserID        int64              `xorm:"INDEX unique(user_application)"`

  449. 	Application   *OAuth2Application `xorm:"-"`

  450. 	ApplicationID int64              `xorm:"INDEX unique(user_application)"`

  451. 	Counter       int64              `xorm:"NOT NULL DEFAULT 1"`

  452. 	Scope         string             `xorm:"TEXT"`

  453. 	Nonce         string             `xorm:"TEXT"`

  454. 	CreatedUnix   timeutil.TimeStamp `xorm:"created"`

  455. 	UpdatedUnix   timeutil.TimeStamp `xorm:"updated"`

  456. }

  457. 

  458. // TableName sets the table name to `oauth2_grant`

  459. func (grant *OAuth2Grant) TableName() string {

  460. 	return "oauth2_grant"

  461. }

  462. 

  463. // GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database

  464. func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redirectURI, codeChallenge, codeChallengeMethod string) (code *OAuth2AuthorizationCode, err error) {

  465. 	rBytes, err := util.CryptoRandomBytes(32)

  466. 	if err != nil {

  467. 		return &OAuth2AuthorizationCode{}, err

  468. 	}

  469. 	// Add a prefix to the base32, this is in order to make it easier

  470. 	// for code scanners to grab sensitive tokens.

  471. 	codeSecret := "gta_" + base32Lower.EncodeToString(rBytes)

  472. 

  473. 	code = &OAuth2AuthorizationCode{

  474. 		Grant:               grant,

  475. 		GrantID:             grant.ID,

  476. 		RedirectURI:         redirectURI,

  477. 		Code:                codeSecret,

  478. 		CodeChallenge:       codeChallenge,

  479. 		CodeChallengeMethod: codeChallengeMethod,

  480. 	}

  481. 	if err := db.Insert(ctx, code); err != nil {

  482. 		return nil, err

  483. 	}

  484. 	return code, nil

  485. }

  486. 

  487. // IncreaseCounter increases the counter and updates the grant

  488. func (grant *OAuth2Grant) IncreaseCounter(ctx context.Context) error {

  489. 	_, err := db.GetEngine(ctx).ID(grant.ID).Incr("counter").Update(new(OAuth2Grant))

  490. 	if err != nil {

  491. 		return err

  492. 	}

  493. 	updatedGrant, err := GetOAuth2GrantByID(ctx, grant.ID)

  494. 	if err != nil {

  495. 		return err

  496. 	}

  497. 	grant.Counter = updatedGrant.Counter

  498. 	return nil

  499. }

  500. 

  501. // ScopeContains returns true if the grant scope contains the specified scope

  502. func (grant *OAuth2Grant) ScopeContains(scope string) bool {

  503. 	for _, currentScope := range strings.Split(grant.Scope, " ") {

  504. 		if scope == currentScope {

  505. 			return true

  506. 		}

  507. 	}

  508. 	return false

  509. }

  510. 

  511. // SetNonce updates the current nonce value of a grant

  512. func (grant *OAuth2Grant) SetNonce(ctx context.Context, nonce string) error {

  513. 	grant.Nonce = nonce

  514. 	_, err := db.GetEngine(ctx).ID(grant.ID).Cols("nonce").Update(grant)

  515. 	if err != nil {

  516. 		return err

  517. 	}

  518. 	return nil

  519. }

  520. 

  521. // GetOAuth2GrantByID returns the grant with the given ID

  522. func GetOAuth2GrantByID(ctx context.Context, id int64) (grant *OAuth2Grant, err error) {

  523. 	grant = new(OAuth2Grant)

  524. 	if has, err := db.GetEngine(ctx).ID(id).Get(grant); err != nil {

  525. 		return nil, err

  526. 	} else if !has {

  527. 		return nil, nil

  528. 	}

  529. 	return grant, err

  530. }

  531. 

  532. // GetOAuth2GrantsByUserID lists all grants of a certain user

  533. func GetOAuth2GrantsByUserID(ctx context.Context, uid int64) ([]*OAuth2Grant, error) {

  534. 	type joinedOAuth2Grant struct {

  535. 		Grant       *OAuth2Grant       `xorm:"extends"`

  536. 		Application *OAuth2Application `xorm:"extends"`

  537. 	}

  538. 	var results *xorm.Rows

  539. 	var err error

  540. 	if results, err = db.GetEngine(ctx).

  541. 		Table("oauth2_grant").

  542. 		Where("user_id = ?", uid).

  543. 		Join("INNER", "oauth2_application", "application_id = oauth2_application.id").

  544. 		Rows(new(joinedOAuth2Grant)); err != nil {

  545. 		return nil, err

  546. 	}

  547. 	defer results.Close()

  548. 	grants := make([]*OAuth2Grant, 0)

  549. 	for results.Next() {

  550. 		joinedGrant := new(joinedOAuth2Grant)

  551. 		if err := results.Scan(joinedGrant); err != nil {

  552. 			return nil, err

  553. 		}

  554. 		joinedGrant.Grant.Application = joinedGrant.Application

  555. 		grants = append(grants, joinedGrant.Grant)

  556. 	}

  557. 	return grants, nil

  558. }

  559. 

  560. // RevokeOAuth2Grant deletes the grant with grantID and userID

  561. func RevokeOAuth2Grant(ctx context.Context, grantID, userID int64) error {

  562. 	_, err := db.GetEngine(ctx).Where(builder.Eq{"id": grantID, "user_id": userID}).Delete(&OAuth2Grant{})

  563. 	return err

  564. }

  565. 

  566. // ErrOAuthClientIDInvalid will be thrown if client id cannot be found

  567. type ErrOAuthClientIDInvalid struct {

  568. 	ClientID string

  569. }

  570. 

  571. // IsErrOauthClientIDInvalid checks if an error is a ErrOAuthClientIDInvalid.

  572. func IsErrOauthClientIDInvalid(err error) bool {

  573. 	_, ok := err.(ErrOAuthClientIDInvalid)

  574. 	return ok

  575. }

  576. 

  577. // Error returns the error message

  578. func (err ErrOAuthClientIDInvalid) Error() string {

  579. 	return fmt.Sprintf("Client ID invalid [Client ID: %s]", err.ClientID)

  580. }

  581. 

  582. // Unwrap unwraps this as a ErrNotExist err

  583. func (err ErrOAuthClientIDInvalid) Unwrap() error {

  584. 	return util.ErrNotExist

  585. }

  586. 

  587. // ErrOAuthApplicationNotFound will be thrown if id cannot be found

  588. type ErrOAuthApplicationNotFound struct {

  589. 	ID int64

  590. }

  591. 

  592. // IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist.

  593. func IsErrOAuthApplicationNotFound(err error) bool {

  594. 	_, ok := err.(ErrOAuthApplicationNotFound)

  595. 	return ok

  596. }

  597. 

  598. // Error returns the error message

  599. func (err ErrOAuthApplicationNotFound) Error() string {

  600. 	return fmt.Sprintf("OAuth application not found [ID: %d]", err.ID)

  601. }

  602. 

  603. // Unwrap unwraps this as a ErrNotExist err

  604. func (err ErrOAuthApplicationNotFound) Unwrap() error {

  605. 	return util.ErrNotExist

  606. }

  607. 

  608. // GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name

  609. func GetActiveOAuth2SourceByName(ctx context.Context, name string) (*Source, error) {

  610. 	authSource := new(Source)

  611. 	has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)

  612. 	if err != nil {

  613. 		return nil, err

  614. 	}

  615. 

  616. 	if !has {

  617. 		return nil, fmt.Errorf("oauth2 source not found, name: %q", name)

  618. 	}

  619. 

  620. 	return authSource, nil

  621. }

  622. 

  623. func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error {

  624. 	deleteCond := builder.Select("id").From("oauth2_grant").Where(builder.Eq{"oauth2_grant.user_id": userID})

  625. 

  626. 	if _, err := db.GetEngine(ctx).In("grant_id", deleteCond).

  627. 		Delete(&OAuth2AuthorizationCode{}); err != nil {

  628. 		return err

  629. 	}

  630. 

  631. 	if err := db.DeleteBeans(ctx,

  632. 		&OAuth2Application{UID: userID},

  633. 		&OAuth2Grant{UserID: userID},

  634. 	); err != nil {

  635. 		return fmt.Errorf("DeleteBeans: %w", err)

  636. 	}

  637. 

  638. 	return nil

  639. }