From c39e95c7cb1ad6e812aa3ce4000b4dfdf214e77e Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 15 Jul 2015 12:48:50 -0400 Subject: inital implementation of using GitLab OAuth2 provider for signup/login --- api/user.go | 150 +++++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 104 insertions(+), 46 deletions(-) (limited to 'api') diff --git a/api/user.go b/api/user.go index 7035613ea..4765a5611 100644 --- a/api/user.go +++ b/api/user.go @@ -133,6 +133,10 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) { user.EmailVerified = true } + if len(user.AuthData) > 0 && len(user.AuthService) > 0 { + user.EmailVerified = true + } + ruser := CreateUser(c, team, user) if c.Err != nil { return @@ -233,80 +237,71 @@ func FireAndForgetVerifyEmail(userId, name, email, teamDisplayName, teamURL stri }() } -func login(c *Context, w http.ResponseWriter, r *http.Request) { - props := model.MapFromJson(r.Body) - - extraInfo := "" - var result store.StoreResult - - if len(props["id"]) != 0 { - extraInfo = props["id"] - if result = <-Srv.Store.User().Get(props["id"]); result.Err != nil { - c.Err = result.Err - return +func LoginById(c *Context, w http.ResponseWriter, r *http.Request, userId, password, deviceId string) { + if result := <-Srv.Store.User().Get(userId); result.Err != nil { + c.Err = result.Err + return + } else { + user := result.Data.(*model.User) + if checkUserPassword(c, user, password) { + Login(c, w, r, user, deviceId) } } +} +func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, name, password, deviceId string) { var team *model.Team - if result.Data == nil && len(props["email"]) != 0 && len(props["name"]) != 0 { - extraInfo = props["email"] + " in " + props["name"] - - if nr := <-Srv.Store.Team().GetByName(props["name"]); nr.Err != nil { - c.Err = nr.Err - return - } else { - team = nr.Data.(*model.Team) - if result = <-Srv.Store.User().GetByEmail(team.Id, props["email"]); result.Err != nil { - c.Err = result.Err - return - } - } - } - - if result.Data == nil { - c.Err = model.NewAppError("login", "Login failed because we couldn't find a valid account", extraInfo) - c.Err.StatusCode = http.StatusBadRequest + if result := <-Srv.Store.Team().GetByName(name); result.Err != nil { + c.Err = result.Err return + } else { + team = result.Data.(*model.Team) } - user := result.Data.(*model.User) + if result := <-Srv.Store.User().GetByEmail(team.Id, email); result.Err != nil { + c.Err = result.Err + return + } else { + user := result.Data.(*model.User) - if team == nil { - if tResult := <-Srv.Store.Team().Get(user.TeamId); tResult.Err != nil { - c.Err = tResult.Err - return - } else { - team = tResult.Data.(*model.Team) + if checkUserPassword(c, user, password) { + Login(c, w, r, user, deviceId) } } +} - c.LogAuditWithUserId(user.Id, "attempt") - - if !model.ComparePassword(user.Password, props["password"]) { +func checkUserPassword(c *Context, user *model.User, password string) bool { + if !model.ComparePassword(user.Password, password) { c.LogAuditWithUserId(user.Id, "fail") - c.Err = model.NewAppError("login", "Login failed because of invalid password", extraInfo) + c.Err = model.NewAppError("checkUserPassword", "Login failed because of invalid password", "user_id="+user.Id) c.Err.StatusCode = http.StatusForbidden - return + return false } + return true +} + +// User MUST be validated before calling Login +func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, deviceId string) { + c.LogAuditWithUserId(user.Id, "attempt") if !user.EmailVerified && !utils.Cfg.EmailSettings.ByPassEmail { - c.Err = model.NewAppError("login", "Login failed because email address has not been verified", extraInfo) + c.Err = model.NewAppError("Login", "Login failed because email address has not been verified", "user_id="+user.Id) c.Err.StatusCode = http.StatusForbidden return } if user.DeleteAt > 0 { - c.Err = model.NewAppError("login", "Login failed because your account has been set to inactive. Please contact an administrator.", extraInfo) + c.Err = model.NewAppError("Login", "Login failed because your account has been set to inactive. Please contact an administrator.", "user_id="+user.Id) c.Err.StatusCode = http.StatusForbidden return } - session := &model.Session{UserId: user.Id, TeamId: team.Id, Roles: user.Roles, DeviceId: props["device_id"]} + session := &model.Session{UserId: user.Id, TeamId: user.TeamId, Roles: user.Roles, DeviceId: deviceId} maxAge := model.SESSION_TIME_WEB_IN_SECS - if len(props["device_id"]) > 0 { + if len(deviceId) > 0 { session.SetExpireInDays(model.SESSION_TIME_MOBILE_IN_DAYS) maxAge = model.SESSION_TIME_MOBILE_IN_SECS } else { @@ -361,8 +356,22 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) { c.Session = *session c.LogAuditWithUserId(user.Id, "success") +} - w.Write([]byte(result.Data.(*model.User).ToJson())) +func login(c *Context, w http.ResponseWriter, r *http.Request) { + props := model.MapFromJson(r.Body) + + if len(props["id"]) != 0 { + LoginById(c, w, r, props["id"], props["password"], props["device_id"]) + } else if len(props["email"]) != 0 && len(props["name"]) != 0 { + LoginByEmail(c, w, r, props["email"], props["name"], props["password"], props["device_id"]) + } + + if c.Err != nil { + return + } + + w.Write([]byte("{}")) } func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { @@ -1212,3 +1221,52 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) { return } } + +func AuthorizeGitLabUser(code, state, uri string) (*model.GitLabUser, *model.AppError) { + if !model.ComparePassword(state, utils.Cfg.SSOSettings.GitLabId) { + return nil, model.NewAppError("AuthorizeGitLabUser", "Invalid state", "") + } + + p := url.Values{} + p.Set("client_id", utils.Cfg.SSOSettings.GitLabId) + p.Set("client_secret", utils.Cfg.SSOSettings.GitLabSecret) + p.Set("code", code) + p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) + p.Set("redirect_uri", uri) + + client := &http.Client{} + req, _ := http.NewRequest("POST", utils.Cfg.SSOSettings.GitLabUrl+"/oauth/token", strings.NewReader(p.Encode())) + + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Accept", "application/json") + + var ar *model.AccessResponse + if resp, err := client.Do(req); err != nil { + return nil, model.NewAppError("AuthorizeGitLabUser", "Token request to GitLab failed", err.Error()) + } else { + ar = model.AccessResponseFromJson(resp.Body) + } + + if ar.TokenType != model.ACCESS_TOKEN_TYPE { + return nil, model.NewAppError("AuthorizeGitLabUser", "Bad token type", "token_type="+ar.TokenType) + } + + if len(ar.AccessToken) == 0 { + return nil, model.NewAppError("AuthorizeGitLabUser", "Missing access token", "") + } + + p = url.Values{} + p.Set("access_token", ar.AccessToken) + req, _ = http.NewRequest("GET", utils.Cfg.SSOSettings.GitLabUrl+"/api/v3/user", strings.NewReader("")) + + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Accept", "application/json") + req.Header.Set("Authorization", "Bearer "+ar.AccessToken) + + if resp, err := client.Do(req); err != nil { + return nil, model.NewAppError("AuthorizeGitLabUser", "Token request to GitLab failed", err.Error()) + } else { + return model.GitLabUserFromJson(resp.Body), nil + } + +} -- cgit v1.2.3-1-g7c22