summaryrefslogtreecommitdiffstats
path: root/apps/oauth2/lib
diff options
context:
space:
mode:
authorLukas Reschke <lukas@statuscode.ch>2017-05-04 23:46:59 +0200
committerLukas Reschke <lukas@statuscode.ch>2017-05-18 20:49:03 +0200
commit5f71805c35d04e585ea6d4227254b11204413dfd (patch)
treee2de66eb03b7127ff542393089013cda526df781 /apps/oauth2/lib
parent879e11e7d1d9802647ade392f4ae317952bc6f8f (diff)
downloadnextcloud-server-5f71805c35d04e585ea6d4227254b11204413dfd.tar.gz
nextcloud-server-5f71805c35d04e585ea6d4227254b11204413dfd.zip
Add basic implementation for OAuth 2.0 Authorization Code Flow
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'apps/oauth2/lib')
-rw-r--r--apps/oauth2/lib/Controller/LoginRedirectorController.php78
-rw-r--r--apps/oauth2/lib/Controller/OauthApiController.php88
-rw-r--r--apps/oauth2/lib/Controller/SettingsController.php86
-rw-r--r--apps/oauth2/lib/Db/AccessToken.php53
-rw-r--r--apps/oauth2/lib/Db/AccessTokenMapper.php49
-rw-r--r--apps/oauth2/lib/Db/Client.php53
-rw-r--r--apps/oauth2/lib/Db/ClientMapper.php61
-rw-r--r--apps/oauth2/lib/Settings/Admin.php67
8 files changed, 535 insertions, 0 deletions
diff --git a/apps/oauth2/lib/Controller/LoginRedirectorController.php b/apps/oauth2/lib/Controller/LoginRedirectorController.php
new file mode 100644
index 00000000000..1a2e00ef5dc
--- /dev/null
+++ b/apps/oauth2/lib/Controller/LoginRedirectorController.php
@@ -0,0 +1,78 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Controller;
+
+use OCA\OAuth2\Db\ClientMapper;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\RedirectResponse;
+use OCP\IRequest;
+use OCP\IURLGenerator;
+
+class LoginRedirectorController extends Controller {
+ /** @var IURLGenerator */
+ private $urlGenerator;
+ /** @var ClientMapper */
+ private $clientMapper;
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param IURLGenerator $urlGenerator
+ * @param ClientMapper $clientMapper
+ */
+ public function __construct($appName,
+ IRequest $request,
+ IURLGenerator $urlGenerator,
+ ClientMapper $clientMapper) {
+ parent::__construct($appName, $request);
+ $this->urlGenerator = $urlGenerator;
+ $this->clientMapper = $clientMapper;
+ }
+
+ /**
+ * @PublicPage
+ * @NoCSRFRequired
+ *
+ * @param string $client_id
+ * @param string $redirect_uri
+ * @param string $state
+ * @return RedirectResponse
+ */
+ public function authorize($client_id,
+ $redirect_uri,
+ $state) {
+ $client = $this->clientMapper->getByIdentifier($client_id);
+
+ if($client->getRedirectUri() !== $redirect_uri) {
+ throw new \Exception('Redirect URI does not match');
+ }
+
+ $targetUrl = $this->urlGenerator->linkToRouteAbsolute(
+ 'core.ClientFlowLogin.showAuthPickerPage',
+ [
+ 'clientIdentifier' => $client->getClientIdentifier(),
+ 'oauthState' => $state,
+ ]
+ );
+ return new RedirectResponse($targetUrl);
+ }
+}
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
new file mode 100644
index 00000000000..8432830bce3
--- /dev/null
+++ b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -0,0 +1,88 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Controller;
+
+use OC\Authentication\Token\DefaultTokenMapper;
+use OCA\OAuth2\Db\AccessTokenMapper;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\IRequest;
+use OCP\Security\ICrypto;
+use OCP\Security\ISecureRandom;
+
+class OauthApiController extends Controller {
+ /** @var AccessTokenMapper */
+ private $accessTokenMapper;
+ /** @var ICrypto */
+ private $crypto;
+ /** @var DefaultTokenMapper */
+ private $defaultTokenMapper;
+ /** @var ISecureRandom */
+ private $secureRandom;
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param ICrypto $crypto
+ * @param AccessTokenMapper $accessTokenMapper
+ * @param DefaultTokenMapper $defaultTokenMapper
+ * @param ISecureRandom $secureRandom
+ */
+ public function __construct($appName,
+ IRequest $request,
+ ICrypto $crypto,
+ AccessTokenMapper $accessTokenMapper,
+ DefaultTokenMapper $defaultTokenMapper,
+ ISecureRandom $secureRandom) {
+ parent::__construct($appName, $request);
+ $this->crypto = $crypto;
+ $this->accessTokenMapper = $accessTokenMapper;
+ $this->defaultTokenMapper = $defaultTokenMapper;
+ $this->secureRandom = $secureRandom;
+ }
+
+ /**
+ * @PublicPage
+ * @NoCSRFRequired
+ *
+ * @param string $code
+ * @return JSONResponse
+ */
+ public function getToken($code) {
+ $accessToken = $this->accessTokenMapper->getByCode($code);
+ $decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code);
+ $newCode = $this->secureRandom->generate(128);
+ $accessToken->setHashedCode(hash('sha512', $newCode));
+ $accessToken->setEncryptedToken($this->crypto->encrypt($decryptedToken, $newCode));
+ $this->accessTokenMapper->update($accessToken);
+
+ return new JSONResponse(
+ [
+ 'access_token' => $decryptedToken,
+ 'token_type' => 'token',
+ 'expires_in' => 3600,
+ 'refresh_token' => $newCode,
+ 'user_id' => ($this->defaultTokenMapper->getTokenById($accessToken->getTokenId()))->getUID(),
+ ]
+ );
+ }
+}
diff --git a/apps/oauth2/lib/Controller/SettingsController.php b/apps/oauth2/lib/Controller/SettingsController.php
new file mode 100644
index 00000000000..1d376694f5a
--- /dev/null
+++ b/apps/oauth2/lib/Controller/SettingsController.php
@@ -0,0 +1,86 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Controller;
+
+use OCA\OAuth2\Db\Client;
+use OCA\OAuth2\Db\ClientMapper;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\RedirectResponse;
+use OCP\IRequest;
+use OCP\IURLGenerator;
+use OCP\Security\ISecureRandom;
+
+class SettingsController extends Controller {
+ /** @var IURLGenerator */
+ private $urlGenerator;
+ /** @var ClientMapper */
+ private $clientMapper;
+ /** @var ISecureRandom */
+ private $secureRandom;
+
+ const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param IURLGenerator $urlGenerator
+ * @param ClientMapper $clientMapper
+ * @param ISecureRandom $secureRandom
+ */
+ public function __construct($appName,
+ IRequest $request,
+ IURLGenerator $urlGenerator,
+ ClientMapper $clientMapper,
+ ISecureRandom $secureRandom) {
+ parent::__construct($appName, $request);
+ $this->urlGenerator = $urlGenerator;
+ $this->secureRandom = $secureRandom;
+ $this->clientMapper = $clientMapper;
+ }
+
+ /**
+ * @param string $name
+ * @param string $redirectUri
+ * @return RedirectResponse
+ */
+ public function addClient($name,
+ $redirectUri) {
+ $client = new Client();
+ $client->setName($name);
+ $client->setRedirectUri($redirectUri);
+ $client->setSecret($this->secureRandom->generate(64, self::validChars));
+ $client->setClientIdentifier($this->secureRandom->generate(64, self::validChars));
+ $this->clientMapper->insert($client);
+ return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
+ }
+
+ /**
+ * @param int $id
+ * @return RedirectResponse
+ */
+ public function deleteClient($id) {
+ $client = new Client();
+ $client->setId($id);
+ $this->clientMapper->delete($client);
+ return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
+ }
+}
diff --git a/apps/oauth2/lib/Db/AccessToken.php b/apps/oauth2/lib/Db/AccessToken.php
new file mode 100644
index 00000000000..8266a9a0068
--- /dev/null
+++ b/apps/oauth2/lib/Db/AccessToken.php
@@ -0,0 +1,53 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Entity;
+
+/**
+ * @method int getTokenId()
+ * @method void setTokenId(int $identifier)
+ * @method int getClientId()
+ * @method void setClientId(int $identifier)
+ * @method string getEncryptedToken()
+ * @method void setEncryptedToken(string $token)
+ * @method string getHashedCode()
+ * @method void setHashedCode(string $token)
+ */
+class AccessToken extends Entity {
+ /** @var int */
+ protected $tokenId;
+ /** @var int */
+ protected $clientId;
+ /** @var string */
+ protected $hashedCode;
+ /** @var string */
+ protected $encryptedToken;
+
+ public function __construct() {
+ $this->addType('id', 'int');
+ $this->addType('token_id', 'int');
+ $this->addType('client_id', 'int');
+ $this->addType('hashed_code', 'string');
+ $this->addType('encrypted_token', 'string');
+ }
+}
diff --git a/apps/oauth2/lib/Db/AccessTokenMapper.php b/apps/oauth2/lib/Db/AccessTokenMapper.php
new file mode 100644
index 00000000000..0400ad6366c
--- /dev/null
+++ b/apps/oauth2/lib/Db/AccessTokenMapper.php
@@ -0,0 +1,49 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Mapper;
+use OCP\IDBConnection;
+
+class AccessTokenMapper extends Mapper {
+
+ /**
+ * @param IDBConnection $db
+ */
+ public function __construct(IDBConnection $db) {
+ parent::__construct($db, 'oauth2_access_tokens');
+ }
+
+ /**
+ * @param string $code
+ * @return AccessToken
+ */
+ public function getByCode($code) {
+ $qb = $this->db->getQueryBuilder();
+ $qb
+ ->select('*')
+ ->from($this->tableName)
+ ->where($qb->expr()->eq('hashed_code', $qb->createParameter('hashedCode')));
+
+ return $this->findEntity($qb->getSQL(), [hash('sha512', $code)]);
+ }
+}
diff --git a/apps/oauth2/lib/Db/Client.php b/apps/oauth2/lib/Db/Client.php
new file mode 100644
index 00000000000..85c1630cb15
--- /dev/null
+++ b/apps/oauth2/lib/Db/Client.php
@@ -0,0 +1,53 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Entity;
+
+/**
+ * @method string getClientIdentifier()
+ * @method void setClientIdentifier(string $identifier)
+ * @method string getSecret()
+ * @method void setSecret(string $secret)
+ * @method string getRedirectUri()
+ * @method void setRedirectUri(string $redirectUri)
+ * @method string getName()
+ * @method void setName(string $name)
+ */
+class Client extends Entity {
+ /** @var string */
+ protected $name;
+ /** @var string */
+ protected $redirectUri;
+ /** @var string */
+ protected $clientIdentifier;
+ /** @var string */
+ protected $secret;
+
+ public function __construct() {
+ $this->addType('id', 'int');
+ $this->addType('name', 'string');
+ $this->addType('redirect_uri', 'string');
+ $this->addType('client_identifier', 'string');
+ $this->addType('secret', 'string');
+ }
+}
diff --git a/apps/oauth2/lib/Db/ClientMapper.php b/apps/oauth2/lib/Db/ClientMapper.php
new file mode 100644
index 00000000000..d3c09ac5c69
--- /dev/null
+++ b/apps/oauth2/lib/Db/ClientMapper.php
@@ -0,0 +1,61 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Mapper;
+use OCP\IDBConnection;
+
+class ClientMapper extends Mapper {
+
+ /**
+ * @param IDBConnection $db
+ */
+ public function __construct(IDBConnection $db) {
+ parent::__construct($db, 'oauth2_clients');
+ }
+
+ /**
+ * @param string $clientIdentifier
+ * @return Client
+ */
+ public function getByIdentifier($clientIdentifier) {
+ $qb = $this->db->getQueryBuilder();
+ $qb
+ ->select('*')
+ ->from($this->tableName)
+ ->where($qb->expr()->eq('client_identifier', $qb->createParameter('clientId')));
+
+ return $this->findEntity($qb->getSQL(), [$clientIdentifier]);
+ }
+
+ /**
+ * @return Client[]
+ */
+ public function getClients() {
+ $qb = $this->db->getQueryBuilder();
+ $qb
+ ->select('*')
+ ->from($this->tableName);
+
+ return $this->findEntities($qb->getSQL());
+ }
+}
diff --git a/apps/oauth2/lib/Settings/Admin.php b/apps/oauth2/lib/Settings/Admin.php
new file mode 100644
index 00000000000..aa120bcb7d7
--- /dev/null
+++ b/apps/oauth2/lib/Settings/Admin.php
@@ -0,0 +1,67 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Settings;
+
+use OCA\OAuth2\Db\ClientMapper;
+use OCP\AppFramework\Http\TemplateResponse;
+use OCP\IConfig;
+use OCP\Settings\ISettings;
+
+class Admin implements ISettings {
+ /** @var ClientMapper */
+ private $clientMapper;
+
+ /**
+ * @param ClientMapper $clientMapper
+ */
+ public function __construct(ClientMapper $clientMapper) {
+ $this->clientMapper = $clientMapper;
+ }
+
+ /**
+ * @return TemplateResponse
+ */
+ public function getForm() {
+ return new TemplateResponse(
+ 'oauth2',
+ 'admin',
+ [
+ 'clients' => $this->clientMapper->getClients(),
+ ],
+ ''
+ );
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getSection() {
+ return 'security';
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getPriority() {
+ return 0;
+ }
+}