feat(cli): added implementation for codeflow with a cli (#26)

2020-04-30 07:08:30 +02:00 · 2020-04-30 07:08:30 +02:00 · b52fd090a7
commit b52fd090a7
parent f818b3461a
7 changed files with 219 additions and 18 deletions
--- a/pkg/cli/cli.go
+++ b/pkg/cli/cli.go
@ -0,0 +1,107 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/oidc/pkg/rp"
+	"github.com/caos/oidc/pkg/utils"
+	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+)
+
+func CodeFlow(rpc *rp.Config, key []byte, callbackPath string, port string) *oidc.Tokens {
+	cookieHandler := utils.NewCookieHandler(key, key, utils.WithUnsecure())
+	provider, err := rp.NewDefaultRP(rpc, rp.WithCookieHandler(cookieHandler)) //rp.WithPKCE(cookieHandler)) //,
+	if err != nil {
+		logrus.Fatalf("error creating provider %s", err.Error())
+	}
+
+	return codeFlow(provider, callbackPath, port)
+}
+
+func CodeFlowForClient(rpc *rp.Config, key []byte, callbackPath string, port string) *http.Client {
+	cookieHandler := utils.NewCookieHandler(key, key, utils.WithUnsecure())
+	provider, err := rp.NewDefaultRP(rpc, rp.WithCookieHandler(cookieHandler)) //rp.WithPKCE(cookieHandler)) //,
+	if err != nil {
+		logrus.Fatalf("error creating provider %s", err.Error())
+	}
+	token := codeFlow(provider, callbackPath, port)
+
+	return provider.Client(context.Background(), token.Token)
+}
+
+func codeFlow(provider rp.DelegationTokenExchangeRP, callbackPath string, port string) *oidc.Tokens {
+	loginPath := "/login"
+	portStr := port
+	if !strings.HasPrefix(port, ":") {
+		portStr = strings.Join([]string{":", portStr}, "")
+	}
+
+	getToken, setToken := getAndSetTokens()
+
+	state := uuid.New().String()
+	http.Handle(loginPath, provider.AuthURLHandler(state))
+
+	marshal := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string) {
+		setToken(w, tokens)
+	}
+	http.Handle(callbackPath, provider.CodeExchangeHandler(marshal))
+
+	// start  http-server
+	stopHttpServer := startHttpServer(portStr)
+
+	// open browser in different window
+	utils.OpenBrowser(strings.Join([]string{"http://localhost", portStr, loginPath}, ""))
+
+	// wait until user is logged into browser
+	ret := getToken()
+
+	// stop http-server as no callback is needed anymore
+	stopHttpServer()
+
+	// return tokens
+	return ret
+}
+
+func startHttpServer(port string) func() {
+	srv := &http.Server{Addr: port}
+	go func() {
+
+		// always returns error. ErrServerClosed on graceful close
+		if err := srv.ListenAndServe(); err != http.ErrServerClosed {
+			// unexpected error. port in use?
+			log.Fatalf("ListenAndServe(): %v", err)
+		}
+	}()
+
+	return func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		if err := srv.Shutdown(ctx); err != nil {
+			log.Fatalf("Shutdown(): %v", err)
+		}
+	}
+}
+
+func getAndSetTokens() (func() *oidc.Tokens, func(w http.ResponseWriter, tokens *oidc.Tokens)) {
+	marshalChan := make(chan *oidc.Tokens)
+
+	getToken := func() *oidc.Tokens {
+		return <-marshalChan
+	}
+	setToken := func(w http.ResponseWriter, tokens *oidc.Tokens) {
+		marshalChan <- tokens
+
+		msg := "<p><strong>Success!</strong></p>"
+		msg = msg + "<p>You are authenticated and can now return to the CLI.</p>"
+		fmt.Fprintf(w, msg)
+	}
+
+	return getToken, setToken
+}
--- a/pkg/rp/default_rp.go
+++ b/pkg/rp/default_rp.go
@ -40,7 +40,8 @@ type DefaultRP struct {

 	errorHandler func(http.ResponseWriter, *http.Request, string, string, string)

-	verifier Verifier
+	verifier   Verifier
+	onlyOAuth2 bool
 }

 //NewDefaultRP creates `DefaultRP` with the given
@ -48,17 +49,29 @@ type DefaultRP struct {
 //it will run discovery on the provided issuer
 //if no verifier is provided using the options the `DefaultVerifier` is set
 func NewDefaultRP(rpConfig *Config, rpOpts ...DefaultRPOpts) (DelegationTokenExchangeRP, error) {
+	foundOpenID := false
+	for _, scope := range rpConfig.Scopes {
+		if scope == "openid" {
+			foundOpenID = true
+		}
+	}
+
 	p := &DefaultRP{
 		config:     rpConfig,
 		httpClient: utils.DefaultHTTPClient,
+		onlyOAuth2: !foundOpenID,
 	}

 	for _, optFunc := range rpOpts {
 		optFunc(p)
 	}

-	if err := p.discover(); err != nil {
-		return nil, err
+	if rpConfig.Endpoints.TokenURL != "" && rpConfig.Endpoints.AuthURL != "" {
+		p.oauthConfig = p.getOAuthConfig(rpConfig.Endpoints)
+	} else {
+		if err := p.discover(); err != nil {
+			return nil, err
+		}
 	}

 	if p.errorHandler == nil {
@ -159,9 +172,12 @@ func (p *DefaultRP) CodeExchange(ctx context.Context, code string, opts ...CodeE
 		//TODO: implement
 	}

-	idToken, err := p.verifier.Verify(ctx, token.AccessToken, idTokenString)
-	if err != nil {
-		return nil, err //TODO: err
+	idToken := new(oidc.IDTokenClaims)
+	if !p.onlyOAuth2 {
+		idToken, err = p.verifier.Verify(ctx, token.AccessToken, idTokenString)
+		if err != nil {
+			return nil, err //TODO: err
+		}
 	}

 	return &oidc.Tokens{Token: token, IDTokenClaims: idToken, IDToken: idTokenString}, nil
@ -241,14 +257,18 @@ func (p *DefaultRP) discover() error {
 		return err
 	}
 	p.endpoints = GetEndpoints(discoveryConfig)
-	p.oauthConfig = oauth2.Config{
+	p.oauthConfig = p.getOAuthConfig(p.endpoints.Endpoint)
+	return nil
+}
+
+func (p *DefaultRP) getOAuthConfig(endpoint oauth2.Endpoint) oauth2.Config {
+	return oauth2.Config{
 		ClientID:     p.config.ClientID,
 		ClientSecret: p.config.ClientSecret,
-		Endpoint:     p.endpoints.Endpoint,
+		Endpoint:     endpoint,
 		RedirectURL:  p.config.CallbackURL,
 		Scopes:       p.config.Scopes,
 	}
-	return nil
 }

 func (p *DefaultRP) callTokenEndpoint(request interface{}) (newToken *oauth2.Token, err error) {
@ -285,3 +305,7 @@ func (p *DefaultRP) tryReadStateCookie(w http.ResponseWriter, r *http.Request) (
 	p.cookieHandler.DeleteCookie(w, stateParam)
 	return state, nil
 }
+
+func (p *DefaultRP) Client(ctx context.Context, token *oauth2.Token) *http.Client {
+	return p.oauthConfig.Client(ctx, token)
+}
--- a/pkg/rp/relaying_party.go
+++ b/pkg/rp/relaying_party.go
@ -11,6 +11,8 @@ import (

 //RelayingParty declares the minimal interface for oidc clients
 type RelayingParty interface {
+	//Client return a standard http client where the token can be used
+	Client(ctx context.Context, token *oauth2.Token) *http.Client

 	//AuthURL returns the authorization endpoint with a given state
 	AuthURL(state string, opts ...AuthURLOpt) string
@ -59,6 +61,7 @@ type Config struct {
 	CallbackURL  string
 	Issuer       string
 	Scopes       []string
+	Endpoints    oauth2.Endpoint
 }

 type OptionFunc func(RelayingParty)
--- a/pkg/utils/browser.go
+++ b/pkg/utils/browser.go
@ -0,0 +1,26 @@
+package utils
+
+import (
+	"fmt"
+	"log"
+	"os/exec"
+	"runtime"
+)
+
+func OpenBrowser(url string) {
+	var err error
+
+	switch runtime.GOOS {
+	case "linux":
+		err = exec.Command("xdg-open", url).Start()
+	case "windows":
+		err = exec.Command("rundll32", "url.dll,FileProtocolHandler", url).Start()
+	case "darwin":
+		err = exec.Command("open", url).Start()
+	default:
+		err = fmt.Errorf("unsupported platform")
+	}
+	if err != nil {
+		log.Fatal(err)
+	}
+}