|
|
@@ -6,28 +6,16 @@ import (
|
|
|
"net/http"
|
|
|
"strconv"
|
|
|
|
|
|
+ "github.com/porter-dev/porter/internal/models"
|
|
|
+
|
|
|
"github.com/go-chi/chi"
|
|
|
"github.com/google/go-github/github"
|
|
|
"github.com/porter-dev/porter/internal/oauth"
|
|
|
"golang.org/x/oauth2"
|
|
|
)
|
|
|
|
|
|
-// There is a difference between the oauth flow when logging a user in, and when
|
|
|
-// linking a repository.
|
|
|
-
|
|
|
-// When logging a user in, the access token gets stored in the session, and no refresh
|
|
|
-// token is requested. We store the access token in the session because a user can be
|
|
|
-// logged in multiple times with a single access token.
|
|
|
-
|
|
|
-// NOTE: this user flow will likely be augmented with Dex, or entirely replaced with Dex.
|
|
|
-
|
|
|
-// However, when linking a repository, the access token and refresh token are requested when
|
|
|
-// the flow has started. A project also gets linked to the session. After callback, a new
|
|
|
-// github config gets stored for the project, and the user will then get redirected to
|
|
|
-// a URL that allows them to select their repositories they'd like to link. We require a refresh
|
|
|
-// token because we need permanent access to the linked repository.
|
|
|
-
|
|
|
-func (app *App) HandleOAuthStartUser(w http.ResponseWriter, r *http.Request) {
|
|
|
+// HandleGithubOAuthStartUser starts the oauth2 flow for a user login request.
|
|
|
+func (app *App) HandleGithubOAuthStartUser(w http.ResponseWriter, r *http.Request) {
|
|
|
state := oauth.CreateRandomState()
|
|
|
|
|
|
err := app.populateOAuthSession(w, r, state, false)
|
|
|
@@ -43,7 +31,10 @@ func (app *App) HandleOAuthStartUser(w http.ResponseWriter, r *http.Request) {
|
|
|
http.Redirect(w, r, url, 302)
|
|
|
}
|
|
|
|
|
|
-func (app *App) HandleOAuthStartProject(w http.ResponseWriter, r *http.Request) {
|
|
|
+// HandleGithubOAuthStartProject starts the oauth2 flow for a project repo request.
|
|
|
+// In this handler, the project id gets written to the session (along with the oauth
|
|
|
+// state param), so that the correct project id can be identified in the callback.
|
|
|
+func (app *App) HandleGithubOAuthStartProject(w http.ResponseWriter, r *http.Request) {
|
|
|
state := oauth.CreateRandomState()
|
|
|
|
|
|
err := app.populateOAuthSession(w, r, state, true)
|
|
|
@@ -59,7 +50,23 @@ func (app *App) HandleOAuthStartProject(w http.ResponseWriter, r *http.Request)
|
|
|
http.Redirect(w, r, url, 302)
|
|
|
}
|
|
|
|
|
|
-func (app *App) HandleOauthCallback(w http.ResponseWriter, r *http.Request) {
|
|
|
+// HandleGithubOAuthCallback verifies the callback request by checking that the
|
|
|
+// state parameter has not been modified, and validates the token.
|
|
|
+// There is a difference between the oauth flow when logging a user in, and when
|
|
|
+// linking a repository.
|
|
|
+//
|
|
|
+// When logging a user in, the access token gets stored in the session, and no refresh
|
|
|
+// token is requested. We store the access token in the session because a user can be
|
|
|
+// logged in multiple times with a single access token.
|
|
|
+//
|
|
|
+// NOTE: this user flow will likely be augmented with Dex, or entirely replaced with Dex.
|
|
|
+//
|
|
|
+// However, when linking a repository, the access token and refresh token are requested when
|
|
|
+// the flow has started. A project also gets linked to the session. After callback, a new
|
|
|
+// github config gets stored for the project, and the user will then get redirected to
|
|
|
+// a URL that allows them to select their repositories they'd like to link. We require a refresh
|
|
|
+// token because we need permanent access to the linked repository.
|
|
|
+func (app *App) HandleGithubOAuthCallback(w http.ResponseWriter, r *http.Request) {
|
|
|
session, err := app.store.Get(r, app.cookieName)
|
|
|
|
|
|
if err != nil {
|
|
|
@@ -68,58 +75,48 @@ func (app *App) HandleOauthCallback(w http.ResponseWriter, r *http.Request) {
|
|
|
}
|
|
|
|
|
|
if _, ok := session.Values["state"]; !ok {
|
|
|
- // TODO -- SEND A CUSTOM ERROR, PROBABLY MEANS COOKIES ARE NOT ENABLED
|
|
|
- // FOR NOW JUST SEND DATA READ ERROR
|
|
|
- app.handleErrorDataRead(err, w)
|
|
|
+ app.sendExternalError(
|
|
|
+ err,
|
|
|
+ http.StatusForbidden,
|
|
|
+ HTTPError{
|
|
|
+ Code: http.StatusForbidden,
|
|
|
+ Errors: []string{
|
|
|
+ "Could not read cookie: are cookies enabled?",
|
|
|
+ },
|
|
|
+ },
|
|
|
+ w,
|
|
|
+ )
|
|
|
+
|
|
|
return
|
|
|
}
|
|
|
|
|
|
if r.URL.Query().Get("state") != session.Values["state"] {
|
|
|
- // TODO -- SEND A CUSTOM ERROR, THIS MEANS THAT IDP CANNOT BE TRUSTED
|
|
|
- app.handleErrorDataRead(err, w)
|
|
|
+ http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
|
|
return
|
|
|
}
|
|
|
|
|
|
token, err := app.GithubConfig.Exchange(oauth2.NoContext, r.URL.Query().Get("code"))
|
|
|
|
|
|
if err != nil {
|
|
|
- // TODO -- SEND A CUSTOM ERROR
|
|
|
- app.handleErrorDataRead(err, w)
|
|
|
+ http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
|
|
return
|
|
|
}
|
|
|
|
|
|
if !token.Valid() {
|
|
|
- // TODO -- SEND A CUSTOM ERROR
|
|
|
- app.handleErrorDataRead(err, w)
|
|
|
+ http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
|
|
return
|
|
|
}
|
|
|
|
|
|
- app.updateProjectFromToken(token)
|
|
|
-
|
|
|
- // client := github.NewClient(app.GithubConfig.Client(oauth2.NoContext, token))
|
|
|
-
|
|
|
- // client.
|
|
|
+ userID, _ := session.Values["user_id"].(uint)
|
|
|
+ projID, _ := session.Values["project_id"].(uint)
|
|
|
|
|
|
- // TODO -- determine if the user already exists as a github user with that email
|
|
|
- // If the user does not exist, create the user in the database
|
|
|
-
|
|
|
- // If the user does exist, save the username, kind, and access_token in the session
|
|
|
-
|
|
|
- // user, _, err := client.Users.Get(context.Background(), "")
|
|
|
- // if err != nil {
|
|
|
- // fmt.Println(w, "error getting name")
|
|
|
- // return
|
|
|
- // }
|
|
|
-
|
|
|
- // session.Values["githubUserName"] = user.Name
|
|
|
- // session.Values["githubAccessToken"] = token
|
|
|
- // session.Save(r, w)
|
|
|
+ app.updateProjectFromToken(projID, userID, token)
|
|
|
|
|
|
+ // TODO -- custom redirect URI
|
|
|
http.Redirect(w, r, "/", 302)
|
|
|
}
|
|
|
|
|
|
func (app *App) populateOAuthSession(w http.ResponseWriter, r *http.Request, state string, isProject bool) error {
|
|
|
-
|
|
|
session, err := app.store.Get(r, app.cookieName)
|
|
|
|
|
|
if err != nil {
|
|
|
@@ -152,19 +149,30 @@ func (app *App) upsertUserFromToken() error {
|
|
|
}
|
|
|
|
|
|
// updates a project's repository clients with the token information.
|
|
|
-func (app *App) updateProjectFromToken(tok *oauth2.Token) error {
|
|
|
+func (app *App) updateProjectFromToken(projectID uint, userID uint, tok *oauth2.Token) error {
|
|
|
// get the list of repositories that this token has access to
|
|
|
client := github.NewClient(app.GithubConfig.Client(oauth2.NoContext, tok))
|
|
|
|
|
|
- repos, _, err := client.Repositories.List(context.Background(), "", nil)
|
|
|
+ user, _, err := client.Users.Get(context.Background(), "")
|
|
|
|
|
|
if err != nil {
|
|
|
return err
|
|
|
}
|
|
|
|
|
|
- for _, repo := range repos {
|
|
|
- fmt.Println(repo.GetName())
|
|
|
+ repoClient := &models.RepoClient{
|
|
|
+ ProjectID: projectID,
|
|
|
+ UserID: userID,
|
|
|
+ RepoUserID: uint(user.GetID()),
|
|
|
+ Kind: models.RepoClientGithub,
|
|
|
+ AccessToken: tok.AccessToken,
|
|
|
+ RefreshToken: tok.RefreshToken,
|
|
|
}
|
|
|
|
|
|
- return fmt.Errorf("UNIMPLEMENTED")
|
|
|
+ repoClient, err = app.repo.RepoClient.CreateRepoClient(repoClient)
|
|
|
+
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+
|
|
|
+ return nil
|
|
|
}
|
Alexander Belanger