2021-09-11 11:37:31 +00:00
|
|
|
/*
|
2023-07-29 15:46:33 +00:00
|
|
|
Copyright 2020-2023 CAcert Inc.
|
|
|
|
SPDX-License-Identifier: Apache-2.0
|
2021-09-11 11:37:31 +00:00
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
2021-09-11 11:37:31 +00:00
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
https://www.apache.org/licenses/LICENSE-2.0
|
2021-09-11 11:37:31 +00:00
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
2021-09-11 11:37:31 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/base64"
|
|
|
|
"encoding/json"
|
2023-07-29 15:46:33 +00:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2021-09-11 11:37:31 +00:00
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
|
|
|
|
"github.com/lestrrat-go/jwx/jwk"
|
|
|
|
"github.com/lestrrat-go/jwx/jwt"
|
|
|
|
"github.com/lestrrat-go/jwx/jwt/openid"
|
|
|
|
log "github.com/sirupsen/logrus"
|
2023-07-29 15:46:33 +00:00
|
|
|
"golang.org/x/oauth2"
|
2021-09-11 11:37:31 +00:00
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
"code.cacert.org/cacert/oidc-demo-app/models"
|
|
|
|
"code.cacert.org/cacert/oidc-demo-app/services"
|
2021-09-11 11:37:31 +00:00
|
|
|
)
|
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
const (
|
|
|
|
sessionName = "resource_session"
|
2021-09-11 11:37:31 +00:00
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
oauth2RedirectStateLength = 8
|
|
|
|
)
|
|
|
|
|
|
|
|
func Authenticate(logger *log.Logger, oauth2Config *oauth2.Config, clientID string) func(http.Handler) http.Handler {
|
2021-09-11 11:37:31 +00:00
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
session, err := services.GetSessionStore().Get(r, sessionName)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
return
|
|
|
|
}
|
2023-07-29 15:46:33 +00:00
|
|
|
|
|
|
|
if _, ok := session.Values[sessionKeyIDToken]; ok {
|
2021-09-11 11:37:31 +00:00
|
|
|
next.ServeHTTP(w, r)
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
return
|
|
|
|
}
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
session.Values[sessionRedirectTarget] = r.URL.String()
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
if err = session.Save(r, w); err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
return
|
|
|
|
}
|
2023-07-29 15:46:33 +00:00
|
|
|
|
|
|
|
var authURL *url.URL
|
|
|
|
|
|
|
|
if authURL, err = url.Parse(oauth2Config.Endpoint.AuthURL); err != nil {
|
2021-09-11 11:37:31 +00:00
|
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
return
|
|
|
|
}
|
2023-07-29 15:46:33 +00:00
|
|
|
|
|
|
|
queryValues := authURL.Query()
|
|
|
|
queryValues.Set("client_id", clientID)
|
2021-09-11 11:37:31 +00:00
|
|
|
queryValues.Set("response_type", "code")
|
|
|
|
queryValues.Set("scope", "openid offline_access profile email")
|
2023-07-29 15:46:33 +00:00
|
|
|
queryValues.Set("state", base64.URLEncoding.EncodeToString(services.GenerateKey(oauth2RedirectStateLength)))
|
2021-09-11 11:37:31 +00:00
|
|
|
queryValues.Set("claims", getRequestedClaims(logger))
|
2023-07-29 15:46:33 +00:00
|
|
|
authURL.RawQuery = queryValues.Encode()
|
2021-09-11 11:37:31 +00:00
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
w.Header().Set("Location", authURL.String())
|
2021-09-11 11:37:31 +00:00
|
|
|
w.WriteHeader(http.StatusFound)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func getRequestedClaims(logger *log.Logger) string {
|
|
|
|
claims := make(models.OIDCClaimsRequest)
|
|
|
|
claims["userinfo"] = make(models.ClaimElement)
|
|
|
|
essentialItem := make(models.IndividualClaimRequest)
|
|
|
|
essentialItem["essential"] = true
|
2023-07-29 15:46:33 +00:00
|
|
|
claims["userinfo"]["https://auth.cacert.org/groups"] = &essentialItem
|
2021-09-11 11:37:31 +00:00
|
|
|
|
|
|
|
target := make([]byte, 0)
|
|
|
|
buf := bytes.NewBuffer(target)
|
|
|
|
enc := json.NewEncoder(buf)
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
if err := enc.Encode(claims); err != nil {
|
2023-07-29 15:46:33 +00:00
|
|
|
logger.WithError(err).Warn("could not encode claims request parameter")
|
2021-09-11 11:37:31 +00:00
|
|
|
}
|
2023-07-29 15:46:33 +00:00
|
|
|
|
2021-09-11 11:37:31 +00:00
|
|
|
return buf.String()
|
|
|
|
}
|
|
|
|
|
2023-07-29 15:46:33 +00:00
|
|
|
func ParseIDToken(token string, keySet jwk.Set) (openid.Token, error) {
|
|
|
|
var (
|
|
|
|
parsedIDToken jwt.Token
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
if parsedIDToken, err = jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithToken(openid.New())); err != nil {
|
|
|
|
return nil, fmt.Errorf("could not parse ID token: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if v, ok := parsedIDToken.(openid.Token); ok {
|
|
|
|
return v, nil
|
2021-09-11 11:37:31 +00:00
|
|
|
}
|
2023-07-29 15:46:33 +00:00
|
|
|
|
|
|
|
return nil, errors.New("ID token is no OpenID Connect Identity Token")
|
2021-09-11 11:37:31 +00:00
|
|
|
}
|