Browse Source

Merge branch 'dev' of github.com:gogits/gogs into dev

Conflicts:
	routers/user/user.go
Unknown 11 years ago
parent
commit
97b133bbee
4 changed files with 444 additions and 40 deletions
  1. 233 0
      modules/oauth2/oauth2.go
  2. 162 0
      modules/oauth2/oauth2_test.go
  3. 49 0
      routers/user/social.go
  4. 0 40
      routers/user/user.go

+ 233 - 0
modules/oauth2/oauth2.go

@@ -0,0 +1,233 @@
+// Copyright 2014 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package oauth2 contains Martini handlers to provide
+// user login via an OAuth 2.0 backend.
+package oauth2
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"code.google.com/p/goauth2/oauth"
+	"github.com/go-martini/martini"
+	"github.com/martini-contrib/sessions"
+)
+
+const (
+	codeRedirect = 302
+	keyToken     = "oauth2_token"
+	keyNextPage  = "next"
+)
+
+var (
+	// Path to handle OAuth 2.0 logins.
+	PathLogin = "/login"
+	// Path to handle OAuth 2.0 logouts.
+	PathLogout = "/logout"
+	// Path to handle callback from OAuth 2.0 backend
+	// to exchange credentials.
+	PathCallback = "/oauth2callback"
+	// Path to handle error cases.
+	PathError = "/oauth2error"
+)
+
+// Represents OAuth2 backend options.
+type Options struct {
+	ClientId     string
+	ClientSecret string
+	RedirectURL  string
+	Scopes       []string
+
+	AuthUrl  string
+	TokenUrl string
+}
+
+// Represents a container that contains
+// user's OAuth 2.0 access and refresh tokens.
+type Tokens interface {
+	Access() string
+	Refresh() string
+	IsExpired() bool
+	ExpiryTime() time.Time
+	ExtraData() map[string]string
+}
+
+type token struct {
+	oauth.Token
+}
+
+func (t *token) ExtraData() map[string]string {
+	return t.Extra
+}
+
+// Returns the access token.
+func (t *token) Access() string {
+	return t.AccessToken
+}
+
+// Returns the refresh token.
+func (t *token) Refresh() string {
+	return t.RefreshToken
+}
+
+// Returns whether the access token is
+// expired or not.
+func (t *token) IsExpired() bool {
+	if t == nil {
+		return true
+	}
+	return t.Expired()
+}
+
+// Returns the expiry time of the user's
+// access token.
+func (t *token) ExpiryTime() time.Time {
+	return t.Expiry
+}
+
+// Formats tokens into string.
+func (t *token) String() string {
+	return fmt.Sprintf("tokens: %v", t)
+}
+
+// Returns a new Google OAuth 2.0 backend endpoint.
+func Google(opts *Options) martini.Handler {
+	opts.AuthUrl = "https://accounts.google.com/o/oauth2/auth"
+	opts.TokenUrl = "https://accounts.google.com/o/oauth2/token"
+	return NewOAuth2Provider(opts)
+}
+
+// Returns a new Github OAuth 2.0 backend endpoint.
+func Github(opts *Options) martini.Handler {
+	opts.AuthUrl = "https://github.com/login/oauth/authorize"
+	opts.TokenUrl = "https://github.com/login/oauth/access_token"
+	return NewOAuth2Provider(opts)
+}
+
+func Facebook(opts *Options) martini.Handler {
+	opts.AuthUrl = "https://www.facebook.com/dialog/oauth"
+	opts.TokenUrl = "https://graph.facebook.com/oauth/access_token"
+	return NewOAuth2Provider(opts)
+}
+
+// Returns a generic OAuth 2.0 backend endpoint.
+func NewOAuth2Provider(opts *Options) martini.Handler {
+	config := &oauth.Config{
+		ClientId:     opts.ClientId,
+		ClientSecret: opts.ClientSecret,
+		RedirectURL:  opts.RedirectURL,
+		Scope:        strings.Join(opts.Scopes, " "),
+		AuthURL:      opts.AuthUrl,
+		TokenURL:     opts.TokenUrl,
+	}
+
+	transport := &oauth.Transport{
+		Config:    config,
+		Transport: http.DefaultTransport,
+	}
+
+	return func(s sessions.Session, c martini.Context, w http.ResponseWriter, r *http.Request) {
+		if r.Method == "GET" {
+			switch r.URL.Path {
+			case PathLogin:
+				login(transport, s, w, r)
+			case PathLogout:
+				logout(transport, s, w, r)
+			case PathCallback:
+				handleOAuth2Callback(transport, s, w, r)
+			}
+		}
+
+		tk := unmarshallToken(s)
+		if tk != nil {
+			// check if the access token is expired
+			if tk.IsExpired() && tk.Refresh() == "" {
+				s.Delete(keyToken)
+				tk = nil
+			}
+		}
+		// Inject tokens.
+		c.MapTo(tk, (*Tokens)(nil))
+	}
+}
+
+// Handler that redirects user to the login page
+// if user is not logged in.
+// Sample usage:
+// m.Get("/login-required", oauth2.LoginRequired, func() ... {})
+var LoginRequired martini.Handler = func() martini.Handler {
+	return func(s sessions.Session, c martini.Context, w http.ResponseWriter, r *http.Request) {
+		token := unmarshallToken(s)
+		if token == nil || token.IsExpired() {
+			next := url.QueryEscape(r.URL.RequestURI())
+			http.Redirect(w, r, PathLogin+"?next="+next, codeRedirect)
+		}
+	}
+}()
+
+func login(t *oauth.Transport, s sessions.Session, w http.ResponseWriter, r *http.Request) {
+	next := extractPath(r.URL.Query().Get(keyNextPage))
+	if s.Get(keyToken) == nil {
+		// User is not logged in.
+		http.Redirect(w, r, t.Config.AuthCodeURL(next), codeRedirect)
+		return
+	}
+	// No need to login, redirect to the next page.
+	http.Redirect(w, r, next, codeRedirect)
+}
+
+func logout(t *oauth.Transport, s sessions.Session, w http.ResponseWriter, r *http.Request) {
+	next := extractPath(r.URL.Query().Get(keyNextPage))
+	s.Delete(keyToken)
+	http.Redirect(w, r, next, codeRedirect)
+}
+
+func handleOAuth2Callback(t *oauth.Transport, s sessions.Session, w http.ResponseWriter, r *http.Request) {
+	next := extractPath(r.URL.Query().Get("state"))
+	code := r.URL.Query().Get("code")
+	tk, err := t.Exchange(code)
+	if err != nil {
+		// Pass the error message, or allow dev to provide its own
+		// error handler.
+		http.Redirect(w, r, PathError, codeRedirect)
+		return
+	}
+	// Store the credentials in the session.
+	val, _ := json.Marshal(tk)
+	s.Set(keyToken, val)
+	http.Redirect(w, r, next, codeRedirect)
+}
+
+func unmarshallToken(s sessions.Session) (t *token) {
+	if s.Get(keyToken) == nil {
+		return
+	}
+	data := s.Get(keyToken).([]byte)
+	var tk oauth.Token
+	json.Unmarshal(data, &tk)
+	return &token{tk}
+}
+
+func extractPath(next string) string {
+	n, err := url.Parse(next)
+	if err != nil {
+		return "/"
+	}
+	return n.Path
+}

+ 162 - 0
modules/oauth2/oauth2_test.go

@@ -0,0 +1,162 @@
+// Copyright 2014 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oauth2
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/go-martini/martini"
+	"github.com/martini-contrib/sessions"
+)
+
+func Test_LoginRedirect(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	m := martini.New()
+	m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123"))))
+	m.Use(Google(&Options{
+		ClientId:     "client_id",
+		ClientSecret: "client_secret",
+		RedirectURL:  "refresh_url",
+		Scopes:       []string{"x", "y"},
+	}))
+
+	r, _ := http.NewRequest("GET", "/login", nil)
+	m.ServeHTTP(recorder, r)
+
+	location := recorder.HeaderMap["Location"][0]
+	if recorder.Code != 302 {
+		t.Errorf("Not being redirected to the auth page.")
+	}
+	if location != "https://accounts.google.com/o/oauth2/auth?access_type=&approval_prompt=&client_id=client_id&redirect_uri=refresh_url&response_type=code&scope=x+y&state=" {
+		t.Errorf("Not being redirected to the right page, %v found", location)
+	}
+}
+
+func Test_LoginRedirectAfterLoginRequired(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	m := martini.Classic()
+	m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123"))))
+	m.Use(Google(&Options{
+		ClientId:     "client_id",
+		ClientSecret: "client_secret",
+		RedirectURL:  "refresh_url",
+		Scopes:       []string{"x", "y"},
+	}))
+
+	m.Get("/login-required", LoginRequired, func(tokens Tokens) (int, string) {
+		return 200, tokens.Access()
+	})
+
+	r, _ := http.NewRequest("GET", "/login-required?key=value", nil)
+	m.ServeHTTP(recorder, r)
+
+	location := recorder.HeaderMap["Location"][0]
+	if recorder.Code != 302 {
+		t.Errorf("Not being redirected to the auth page.")
+	}
+	if location != "/login?next=%2Flogin-required%3Fkey%3Dvalue" {
+		t.Errorf("Not being redirected to the right page, %v found", location)
+	}
+}
+
+func Test_Logout(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	s := sessions.NewCookieStore([]byte("secret123"))
+
+	m := martini.Classic()
+	m.Use(sessions.Sessions("my_session", s))
+	m.Use(Google(&Options{
+	// no need to configure
+	}))
+
+	m.Get("/", func(s sessions.Session) {
+		s.Set(keyToken, "dummy token")
+	})
+
+	m.Get("/get", func(s sessions.Session) {
+		if s.Get(keyToken) != nil {
+			t.Errorf("User credentials are still kept in the session.")
+		}
+	})
+
+	logout, _ := http.NewRequest("GET", "/logout", nil)
+	index, _ := http.NewRequest("GET", "/", nil)
+
+	m.ServeHTTP(httptest.NewRecorder(), index)
+	m.ServeHTTP(recorder, logout)
+
+	if recorder.Code != 302 {
+		t.Errorf("Not being redirected to the next page.")
+	}
+}
+
+func Test_LogoutOnAccessTokenExpiration(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	s := sessions.NewCookieStore([]byte("secret123"))
+
+	m := martini.Classic()
+	m.Use(sessions.Sessions("my_session", s))
+	m.Use(Google(&Options{
+	// no need to configure
+	}))
+
+	m.Get("/addtoken", func(s sessions.Session) {
+		s.Set(keyToken, "dummy token")
+	})
+
+	m.Get("/", func(s sessions.Session) {
+		if s.Get(keyToken) != nil {
+			t.Errorf("User not logged out although access token is expired.")
+		}
+	})
+
+	addtoken, _ := http.NewRequest("GET", "/addtoken", nil)
+	index, _ := http.NewRequest("GET", "/", nil)
+	m.ServeHTTP(recorder, addtoken)
+	m.ServeHTTP(recorder, index)
+}
+
+func Test_InjectedTokens(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	m := martini.Classic()
+	m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123"))))
+	m.Use(Google(&Options{
+	// no need to configure
+	}))
+	m.Get("/", func(tokens Tokens) string {
+		return "Hello world!"
+	})
+	r, _ := http.NewRequest("GET", "/", nil)
+	m.ServeHTTP(recorder, r)
+}
+
+func Test_LoginRequired(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	m := martini.Classic()
+	m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123"))))
+	m.Use(Google(&Options{
+	// no need to configure
+	}))
+	m.Get("/", LoginRequired, func(tokens Tokens) string {
+		return "Hello world!"
+	})
+	r, _ := http.NewRequest("GET", "/", nil)
+	m.ServeHTTP(recorder, r)
+	if recorder.Code != 302 {
+		t.Errorf("Not being redirected to the auth page although user is not logged in.")
+	}
+}

+ 49 - 0
routers/user/social.go

@@ -0,0 +1,49 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package user
+
+import (
+	"encoding/json"
+
+	"code.google.com/p/goauth2/oauth"
+	"github.com/gogits/gogs/modules/log"
+	"github.com/gogits/gogs/modules/oauth2"
+)
+
+// github && google && ...
+func SocialSignIn(tokens oauth2.Tokens) {
+	transport := &oauth.Transport{}
+	transport.Token = &oauth.Token{
+		AccessToken:  tokens.Access(),
+		RefreshToken: tokens.Refresh(),
+		Expiry:       tokens.ExpiryTime(),
+		Extra:        tokens.ExtraData(),
+	}
+
+	// Github API refer: https://developer.github.com/v3/users/
+	// FIXME: need to judge url
+	type GithubUser struct {
+		Id    int    `json:"id"`
+		Name  string `json:"login"`
+		Email string `json:"email"`
+	}
+
+	// Make the request.
+	scope := "https://api.github.com/user"
+	r, err := transport.Client().Get(scope)
+	if err != nil {
+		log.Error("connect with github error: %s", err)
+		// FIXME: handle error page
+		return
+	}
+	defer r.Body.Close()
+
+	user := &GithubUser{}
+	err = json.NewDecoder(r.Body).Decode(user)
+	if err != nil {
+		log.Error("Get: %s", err)
+	}
+	log.Info("login: %s", user.Name)
+	// FIXME: login here, user email to check auth, if not registe, then generate a uniq username
+}

+ 0 - 40
routers/user/user.go

@@ -5,14 +5,11 @@
 package user
 
 import (
-	// "encoding/json"
 	"fmt"
 	"net/url"
 	"strings"
 
-	// "code.google.com/p/goauth2/oauth"
 	"github.com/go-martini/martini"
-	// "github.com/martini-contrib/oauth2"
 
 	"github.com/gogits/gogs/models"
 	"github.com/gogits/gogs/modules/auth"
@@ -77,43 +74,6 @@ func Profile(ctx *middleware.Context, params martini.Params) {
 	ctx.HTML(200, "user/profile")
 }
 
-// github && google && ...
-// func SocialSignIn(tokens oauth2.Tokens) {
-// 	transport := &oauth.Transport{}
-// 	transport.Token = &oauth.Token{
-// 		AccessToken:  tokens.Access(),
-// 		RefreshToken: tokens.Refresh(),
-// 		Expiry:       tokens.ExpiryTime(),
-// 		Extra:        tokens.ExtraData(),
-// 	}
-
-// 	// Github API refer: https://developer.github.com/v3/users/
-// 	// FIXME: need to judge url
-// 	type GithubUser struct {
-// 		Id    int    `json:"id"`
-// 		Name  string `json:"login"`
-// 		Email string `json:"email"`
-// 	}
-
-// 	// Make the request.
-// 	scope := "https://api.github.com/user"
-// 	r, err := transport.Client().Get(scope)
-// 	if err != nil {
-// 		log.Error("connect with github error: %s", err)
-// 		// FIXME: handle error page
-// 		return
-// 	}
-// 	defer r.Body.Close()
-
-// 	user := &GithubUser{}
-// 	err = json.NewDecoder(r.Body).Decode(user)
-// 	if err != nil {
-// 		log.Error("Get: %s", err)
-// 	}
-// 	log.Info("login: %s", user.Name)
-// 	// FIXME: login here, user email to check auth, if not registe, then generate a uniq username
-// }
-
 func SignIn(ctx *middleware.Context, form auth.LogInForm) {
 	ctx.Data["Title"] = "Log In"