diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2017-05-04 23:46:59 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2017-05-18 20:49:03 +0200 |
commit | 5f71805c35d04e585ea6d4227254b11204413dfd (patch) | |
tree | e2de66eb03b7127ff542393089013cda526df781 /apps/oauth2/lib | |
parent | 879e11e7d1d9802647ade392f4ae317952bc6f8f (diff) | |
download | nextcloud-server-5f71805c35d04e585ea6d4227254b11204413dfd.tar.gz nextcloud-server-5f71805c35d04e585ea6d4227254b11204413dfd.zip |
Add basic implementation for OAuth 2.0 Authorization Code Flow
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'apps/oauth2/lib')
-rw-r--r-- | apps/oauth2/lib/Controller/LoginRedirectorController.php | 78 | ||||
-rw-r--r-- | apps/oauth2/lib/Controller/OauthApiController.php | 88 | ||||
-rw-r--r-- | apps/oauth2/lib/Controller/SettingsController.php | 86 | ||||
-rw-r--r-- | apps/oauth2/lib/Db/AccessToken.php | 53 | ||||
-rw-r--r-- | apps/oauth2/lib/Db/AccessTokenMapper.php | 49 | ||||
-rw-r--r-- | apps/oauth2/lib/Db/Client.php | 53 | ||||
-rw-r--r-- | apps/oauth2/lib/Db/ClientMapper.php | 61 | ||||
-rw-r--r-- | apps/oauth2/lib/Settings/Admin.php | 67 |
8 files changed, 535 insertions, 0 deletions
diff --git a/apps/oauth2/lib/Controller/LoginRedirectorController.php b/apps/oauth2/lib/Controller/LoginRedirectorController.php new file mode 100644 index 00000000000..1a2e00ef5dc --- /dev/null +++ b/apps/oauth2/lib/Controller/LoginRedirectorController.php @@ -0,0 +1,78 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Controller; + +use OCA\OAuth2\Db\ClientMapper; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\RedirectResponse; +use OCP\IRequest; +use OCP\IURLGenerator; + +class LoginRedirectorController extends Controller { + /** @var IURLGenerator */ + private $urlGenerator; + /** @var ClientMapper */ + private $clientMapper; + + /** + * @param string $appName + * @param IRequest $request + * @param IURLGenerator $urlGenerator + * @param ClientMapper $clientMapper + */ + public function __construct($appName, + IRequest $request, + IURLGenerator $urlGenerator, + ClientMapper $clientMapper) { + parent::__construct($appName, $request); + $this->urlGenerator = $urlGenerator; + $this->clientMapper = $clientMapper; + } + + /** + * @PublicPage + * @NoCSRFRequired + * + * @param string $client_id + * @param string $redirect_uri + * @param string $state + * @return RedirectResponse + */ + public function authorize($client_id, + $redirect_uri, + $state) { + $client = $this->clientMapper->getByIdentifier($client_id); + + if($client->getRedirectUri() !== $redirect_uri) { + throw new \Exception('Redirect URI does not match'); + } + + $targetUrl = $this->urlGenerator->linkToRouteAbsolute( + 'core.ClientFlowLogin.showAuthPickerPage', + [ + 'clientIdentifier' => $client->getClientIdentifier(), + 'oauthState' => $state, + ] + ); + return new RedirectResponse($targetUrl); + } +} diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php new file mode 100644 index 00000000000..8432830bce3 --- /dev/null +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -0,0 +1,88 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Controller; + +use OC\Authentication\Token\DefaultTokenMapper; +use OCA\OAuth2\Db\AccessTokenMapper; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\JSONResponse; +use OCP\IRequest; +use OCP\Security\ICrypto; +use OCP\Security\ISecureRandom; + +class OauthApiController extends Controller { + /** @var AccessTokenMapper */ + private $accessTokenMapper; + /** @var ICrypto */ + private $crypto; + /** @var DefaultTokenMapper */ + private $defaultTokenMapper; + /** @var ISecureRandom */ + private $secureRandom; + + /** + * @param string $appName + * @param IRequest $request + * @param ICrypto $crypto + * @param AccessTokenMapper $accessTokenMapper + * @param DefaultTokenMapper $defaultTokenMapper + * @param ISecureRandom $secureRandom + */ + public function __construct($appName, + IRequest $request, + ICrypto $crypto, + AccessTokenMapper $accessTokenMapper, + DefaultTokenMapper $defaultTokenMapper, + ISecureRandom $secureRandom) { + parent::__construct($appName, $request); + $this->crypto = $crypto; + $this->accessTokenMapper = $accessTokenMapper; + $this->defaultTokenMapper = $defaultTokenMapper; + $this->secureRandom = $secureRandom; + } + + /** + * @PublicPage + * @NoCSRFRequired + * + * @param string $code + * @return JSONResponse + */ + public function getToken($code) { + $accessToken = $this->accessTokenMapper->getByCode($code); + $decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code); + $newCode = $this->secureRandom->generate(128); + $accessToken->setHashedCode(hash('sha512', $newCode)); + $accessToken->setEncryptedToken($this->crypto->encrypt($decryptedToken, $newCode)); + $this->accessTokenMapper->update($accessToken); + + return new JSONResponse( + [ + 'access_token' => $decryptedToken, + 'token_type' => 'token', + 'expires_in' => 3600, + 'refresh_token' => $newCode, + 'user_id' => ($this->defaultTokenMapper->getTokenById($accessToken->getTokenId()))->getUID(), + ] + ); + } +} diff --git a/apps/oauth2/lib/Controller/SettingsController.php b/apps/oauth2/lib/Controller/SettingsController.php new file mode 100644 index 00000000000..1d376694f5a --- /dev/null +++ b/apps/oauth2/lib/Controller/SettingsController.php @@ -0,0 +1,86 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Controller; + +use OCA\OAuth2\Db\Client; +use OCA\OAuth2\Db\ClientMapper; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\RedirectResponse; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\Security\ISecureRandom; + +class SettingsController extends Controller { + /** @var IURLGenerator */ + private $urlGenerator; + /** @var ClientMapper */ + private $clientMapper; + /** @var ISecureRandom */ + private $secureRandom; + + const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; + + /** + * @param string $appName + * @param IRequest $request + * @param IURLGenerator $urlGenerator + * @param ClientMapper $clientMapper + * @param ISecureRandom $secureRandom + */ + public function __construct($appName, + IRequest $request, + IURLGenerator $urlGenerator, + ClientMapper $clientMapper, + ISecureRandom $secureRandom) { + parent::__construct($appName, $request); + $this->urlGenerator = $urlGenerator; + $this->secureRandom = $secureRandom; + $this->clientMapper = $clientMapper; + } + + /** + * @param string $name + * @param string $redirectUri + * @return RedirectResponse + */ + public function addClient($name, + $redirectUri) { + $client = new Client(); + $client->setName($name); + $client->setRedirectUri($redirectUri); + $client->setSecret($this->secureRandom->generate(64, self::validChars)); + $client->setClientIdentifier($this->secureRandom->generate(64, self::validChars)); + $this->clientMapper->insert($client); + return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security')); + } + + /** + * @param int $id + * @return RedirectResponse + */ + public function deleteClient($id) { + $client = new Client(); + $client->setId($id); + $this->clientMapper->delete($client); + return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security')); + } +} diff --git a/apps/oauth2/lib/Db/AccessToken.php b/apps/oauth2/lib/Db/AccessToken.php new file mode 100644 index 00000000000..8266a9a0068 --- /dev/null +++ b/apps/oauth2/lib/Db/AccessToken.php @@ -0,0 +1,53 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Db; + +use OCP\AppFramework\Db\Entity; + +/** + * @method int getTokenId() + * @method void setTokenId(int $identifier) + * @method int getClientId() + * @method void setClientId(int $identifier) + * @method string getEncryptedToken() + * @method void setEncryptedToken(string $token) + * @method string getHashedCode() + * @method void setHashedCode(string $token) + */ +class AccessToken extends Entity { + /** @var int */ + protected $tokenId; + /** @var int */ + protected $clientId; + /** @var string */ + protected $hashedCode; + /** @var string */ + protected $encryptedToken; + + public function __construct() { + $this->addType('id', 'int'); + $this->addType('token_id', 'int'); + $this->addType('client_id', 'int'); + $this->addType('hashed_code', 'string'); + $this->addType('encrypted_token', 'string'); + } +} diff --git a/apps/oauth2/lib/Db/AccessTokenMapper.php b/apps/oauth2/lib/Db/AccessTokenMapper.php new file mode 100644 index 00000000000..0400ad6366c --- /dev/null +++ b/apps/oauth2/lib/Db/AccessTokenMapper.php @@ -0,0 +1,49 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Db; + +use OCP\AppFramework\Db\Mapper; +use OCP\IDBConnection; + +class AccessTokenMapper extends Mapper { + + /** + * @param IDBConnection $db + */ + public function __construct(IDBConnection $db) { + parent::__construct($db, 'oauth2_access_tokens'); + } + + /** + * @param string $code + * @return AccessToken + */ + public function getByCode($code) { + $qb = $this->db->getQueryBuilder(); + $qb + ->select('*') + ->from($this->tableName) + ->where($qb->expr()->eq('hashed_code', $qb->createParameter('hashedCode'))); + + return $this->findEntity($qb->getSQL(), [hash('sha512', $code)]); + } +} diff --git a/apps/oauth2/lib/Db/Client.php b/apps/oauth2/lib/Db/Client.php new file mode 100644 index 00000000000..85c1630cb15 --- /dev/null +++ b/apps/oauth2/lib/Db/Client.php @@ -0,0 +1,53 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Db; + +use OCP\AppFramework\Db\Entity; + +/** + * @method string getClientIdentifier() + * @method void setClientIdentifier(string $identifier) + * @method string getSecret() + * @method void setSecret(string $secret) + * @method string getRedirectUri() + * @method void setRedirectUri(string $redirectUri) + * @method string getName() + * @method void setName(string $name) + */ +class Client extends Entity { + /** @var string */ + protected $name; + /** @var string */ + protected $redirectUri; + /** @var string */ + protected $clientIdentifier; + /** @var string */ + protected $secret; + + public function __construct() { + $this->addType('id', 'int'); + $this->addType('name', 'string'); + $this->addType('redirect_uri', 'string'); + $this->addType('client_identifier', 'string'); + $this->addType('secret', 'string'); + } +} diff --git a/apps/oauth2/lib/Db/ClientMapper.php b/apps/oauth2/lib/Db/ClientMapper.php new file mode 100644 index 00000000000..d3c09ac5c69 --- /dev/null +++ b/apps/oauth2/lib/Db/ClientMapper.php @@ -0,0 +1,61 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Db; + +use OCP\AppFramework\Db\Mapper; +use OCP\IDBConnection; + +class ClientMapper extends Mapper { + + /** + * @param IDBConnection $db + */ + public function __construct(IDBConnection $db) { + parent::__construct($db, 'oauth2_clients'); + } + + /** + * @param string $clientIdentifier + * @return Client + */ + public function getByIdentifier($clientIdentifier) { + $qb = $this->db->getQueryBuilder(); + $qb + ->select('*') + ->from($this->tableName) + ->where($qb->expr()->eq('client_identifier', $qb->createParameter('clientId'))); + + return $this->findEntity($qb->getSQL(), [$clientIdentifier]); + } + + /** + * @return Client[] + */ + public function getClients() { + $qb = $this->db->getQueryBuilder(); + $qb + ->select('*') + ->from($this->tableName); + + return $this->findEntities($qb->getSQL()); + } +} diff --git a/apps/oauth2/lib/Settings/Admin.php b/apps/oauth2/lib/Settings/Admin.php new file mode 100644 index 00000000000..aa120bcb7d7 --- /dev/null +++ b/apps/oauth2/lib/Settings/Admin.php @@ -0,0 +1,67 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Settings; + +use OCA\OAuth2\Db\ClientMapper; +use OCP\AppFramework\Http\TemplateResponse; +use OCP\IConfig; +use OCP\Settings\ISettings; + +class Admin implements ISettings { + /** @var ClientMapper */ + private $clientMapper; + + /** + * @param ClientMapper $clientMapper + */ + public function __construct(ClientMapper $clientMapper) { + $this->clientMapper = $clientMapper; + } + + /** + * @return TemplateResponse + */ + public function getForm() { + return new TemplateResponse( + 'oauth2', + 'admin', + [ + 'clients' => $this->clientMapper->getClients(), + ], + '' + ); + } + + /** + * {@inheritdoc} + */ + public function getSection() { + return 'security'; + } + + /** + * {@inheritdoc} + */ + public function getPriority() { + return 0; + } +} |