akillibulut
/
porter
zrcadlo https://github.com/porter-dev/porter


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
							package api

import (
	"context"
	"fmt"
	"net/http"
	"strconv"

	"github.com/porter-dev/porter/internal/models"

	"github.com/go-chi/chi"
	"github.com/google/go-github/github"
	"github.com/porter-dev/porter/internal/oauth"
	"golang.org/x/oauth2"
)

// HandleGithubOAuthStartUser starts the oauth2 flow for a user login request.
func (app *App) HandleGithubOAuthStartUser(w http.ResponseWriter, r *http.Request) {
	state := oauth.CreateRandomState()

	err := app.populateOAuthSession(w, r, state, false)

	if err != nil {
		app.handleErrorDataRead(err, w)
		return
	}

	// specify access type offline to get a refresh token
	url := app.GithubConfig.AuthCodeURL(state, oauth2.AccessTypeOnline)

	http.Redirect(w, r, url, 302)
}

// HandleGithubOAuthStartProject starts the oauth2 flow for a project repo request.
// In this handler, the project id gets written to the session (along with the oauth
// state param), so that the correct project id can be identified in the callback.
func (app *App) HandleGithubOAuthStartProject(w http.ResponseWriter, r *http.Request) {
	state := oauth.CreateRandomState()

	err := app.populateOAuthSession(w, r, state, true)

	if err != nil {
		app.handleErrorDataRead(err, w)
		return
	}

	// specify access type offline to get a refresh token
	url := app.GithubConfig.AuthCodeURL(state, oauth2.AccessTypeOffline)

	http.Redirect(w, r, url, 302)
}

// HandleGithubOAuthCallback verifies the callback request by checking that the
// state parameter has not been modified, and validates the token.
// There is a difference between the oauth flow when logging a user in, and when
// linking a repository.
//
// When logging a user in, the access token gets stored in the session, and no refresh
// token is requested. We store the access token in the session because a user can be
// logged in multiple times with a single access token.
//
// NOTE: this user flow will likely be augmented with Dex, or entirely replaced with Dex.
//
// However, when linking a repository, the access token and refresh token are requested when
// the flow has started. A project also gets linked to the session. After callback, a new
// github config gets stored for the project, and the user will then get redirected to
// a URL that allows them to select their repositories they'd like to link. We require a refresh
// token because we need permanent access to the linked repository.
func (app *App) HandleGithubOAuthCallback(w http.ResponseWriter, r *http.Request) {
	session, err := app.store.Get(r, app.cookieName)

	if err != nil {
		app.handleErrorDataRead(err, w)
		return
	}

	if _, ok := session.Values["state"]; !ok {
		app.sendExternalError(
			err,
			http.StatusForbidden,
			HTTPError{
				Code: http.StatusForbidden,
				Errors: []string{
					"Could not read cookie: are cookies enabled?",
				},
			},
			w,
		)

		return
	}

	if r.URL.Query().Get("state") != session.Values["state"] {
		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
		return
	}

	token, err := app.GithubConfig.Exchange(oauth2.NoContext, r.URL.Query().Get("code"))

	if err != nil {
		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
		return
	}

	if !token.Valid() {
		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
		return
	}

	userID, _ := session.Values["user_id"].(uint)
	projID, _ := session.Values["project_id"].(uint)

	app.updateProjectFromToken(projID, userID, token)

	// TODO -- custom redirect URI
	http.Redirect(w, r, "/", 302)
}

func (app *App) populateOAuthSession(w http.ResponseWriter, r *http.Request, state string, isProject bool) error {
	session, err := app.store.Get(r, app.cookieName)

	if err != nil {
		return err
	}

	// need state parameter to validate when redirected
	session.Values["state"] = state

	if isProject {
		// read the project id and add it to the session
		projID, err := strconv.ParseUint(chi.URLParam(r, "project_id"), 0, 64)

		if err != nil || projID == 0 {
			return fmt.Errorf("could not read project id")
		}

		session.Values["project_id"] = projID
	}

	if err := session.Save(r, w); err != nil {
		app.logger.Warn().Err(err)
	}

	return nil
}

func (app *App) upsertUserFromToken() error {
	return fmt.Errorf("UNIMPLEMENTED")
}

// updates a project's repository clients with the token information.
func (app *App) updateProjectFromToken(projectID uint, userID uint, tok *oauth2.Token) error {
	// get the list of repositories that this token has access to
	client := github.NewClient(app.GithubConfig.Client(oauth2.NoContext, tok))

	user, _, err := client.Users.Get(context.Background(), "")

	if err != nil {
		return err
	}

	repoClient := &models.RepoClient{
		ProjectID:    projectID,
		UserID:       userID,
		RepoUserID:   uint(user.GetID()),
		Kind:         models.RepoClientGithub,
		AccessToken:  tok.AccessToken,
		RefreshToken: tok.RefreshToken,
	}

	repoClient, err = app.repo.RepoClient.CreateRepoClient(repoClient)

	if err != nil {
		return err
	}

	return nil
}