k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

connector: add RefreshConnector interface

Browse Source
This commit is contained in:
Eric Chiang
2016-11-18 13:40:41 -08:00
parent 27fb7c523e
commit 952e0f81f5
9 changed files with 438 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

192
connector/github/github.go
View File

@@ -3,6 +3,7 @@ package github
import (
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"net/http"
@@ -15,7 +16,11 @@ import (
"github.com/coreos/dex/connector"
)
const baseURL = "https://api.github.com"
const (
baseURL = "https://api.github.com"
scopeEmail = "user:email"
scopeOrgs = "read:org"
)
// Config holds configuration options for github logins.
type Config struct {
@@ -28,17 +33,10 @@ type Config struct {
// Open returns a strategy for logging in through GitHub.
func (c *Config) Open() (connector.Connector, error) {
return &githubConnector{
redirectURI: c.RedirectURI,
org: c.Org,
oauth2Config: &oauth2.Config{
ClientID: c.ClientID,
ClientSecret: c.ClientSecret,
Endpoint: github.Endpoint,
Scopes: []string{
"user:email", // View user's email
"read:org", // View user's org teams.
},
},
redirectURI: c.RedirectURI,
org: c.Org,
clientID: c.ClientID,
clientSecret: c.ClientSecret,
}, nil
}
@@ -49,26 +47,36 @@ type connectorData struct {
var (
_ connector.CallbackConnector = (*githubConnector)(nil)
_ connector.GroupsConnector = (*githubConnector)(nil)
_ connector.RefreshConnector = (*githubConnector)(nil)
)
type githubConnector struct {
redirectURI string
org string
oauth2Config *oauth2.Config
ctx context.Context
cancel context.CancelFunc
clientID string
clientSecret string
}
func (c *githubConnector) Close() error {
return nil
func (c *githubConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config {
var githubScopes []string
if scopes.Groups {
githubScopes = []string{scopeEmail, scopeOrgs}
} else {
githubScopes = []string{scopeEmail}
}
return &oauth2.Config{
ClientID: c.clientID,
ClientSecret: c.clientSecret,
Endpoint: github.Endpoint,
Scopes: githubScopes,
}
}
func (c *githubConnector) LoginURL(callbackURL, state string) (string, error) {
func (c *githubConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
if c.redirectURI != callbackURL {
return "", fmt.Errorf("expected callback URL did not match the URL in the config")
}
return c.oauth2Config.AuthCodeURL(state), nil
return c.oauth2Config(scopes).AuthCodeURL(state), nil
}
type oauth2Error struct {
@@ -83,43 +91,25 @@ func (e *oauth2Error) Error() string {
return e.error + ": " + e.errorDescription
}
func (c *githubConnector) HandleCallback(r *http.Request) (identity connector.Identity, err error) {
func (c *githubConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
q := r.URL.Query()
if errType := q.Get("error"); errType != "" {
return identity, &oauth2Error{errType, q.Get("error_description")}
}
token, err := c.oauth2Config.Exchange(c.ctx, q.Get("code"))
oauth2Config := c.oauth2Config(s)
ctx := r.Context()
token, err := oauth2Config.Exchange(ctx, q.Get("code"))
if err != nil {
return identity, fmt.Errorf("github: failed to get token: %v", err)
}
resp, err := c.oauth2Config.Client(c.ctx, token).Get(baseURL + "/user")
if err != nil {
return identity, fmt.Errorf("github: get URL %v", err)
}
defer resp.Body.Close()
client := oauth2Config.Client(ctx, token)
if resp.StatusCode != http.StatusOK {
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return identity, fmt.Errorf("github: read body: %v", err)
}
return identity, fmt.Errorf("%s: %s", resp.Status, body)
}
var user struct {
Name string `json:"name"`
Login string `json:"login"`
ID int `json:"id"`
Email string `json:"email"`
}
if err := json.NewDecoder(resp.Body).Decode(&user); err != nil {
return identity, fmt.Errorf("failed to decode response: %v", err)
}
data := connectorData{AccessToken: token.AccessToken}
connData, err := json.Marshal(data)
user, err := c.user(ctx, client)
if err != nil {
return identity, fmt.Errorf("marshal connector data: %v", err)
return identity, fmt.Errorf("github: get user: %v", err)
}
username := user.Name
@@ -131,22 +121,114 @@ func (c *githubConnector) HandleCallback(r *http.Request) (identity connector.Id
Username: username,
Email: user.Email,
EmailVerified: true,
ConnectorData: connData,
}
if s.Groups && c.org != "" {
groups, err := c.teams(ctx, client, c.org)
if err != nil {
return identity, fmt.Errorf("github: get teams: %v", err)
}
identity.Groups = groups
}
if s.OfflineAccess {
data := connectorData{AccessToken: token.AccessToken}
connData, err := json.Marshal(data)
if err != nil {
return identity, fmt.Errorf("marshal connector data: %v", err)
}
identity.ConnectorData = connData
}
return identity, nil
}
func (c *githubConnector) Groups(identity connector.Identity) ([]string, error) {
var data connectorData
if err := json.Unmarshal(identity.ConnectorData, &data); err != nil {
return nil, fmt.Errorf("decode connector data: %v", err)
func (c *githubConnector) Refresh(ctx context.Context, s connector.Scopes, ident connector.Identity) (connector.Identity, error) {
if len(ident.ConnectorData) == 0 {
return ident, errors.New("no upstream access token found")
}
token := &oauth2.Token{AccessToken: data.AccessToken}
resp, err := c.oauth2Config.Client(c.ctx, token).Get(baseURL + "/user/teams")
var data connectorData
if err := json.Unmarshal(ident.ConnectorData, &data); err != nil {
return ident, fmt.Errorf("github: unmarshal access token: %v", err)
}
client := c.oauth2Config(s).Client(ctx, &oauth2.Token{AccessToken: data.AccessToken})
user, err := c.user(ctx, client)
if err != nil {
return ident, fmt.Errorf("github: get user: %v", err)
}
username := user.Name
if username == "" {
username = user.Login
}
ident.Username = username
ident.Email = user.Email
if s.Groups && c.org != "" {
groups, err := c.teams(ctx, client, c.org)
if err != nil {
return ident, fmt.Errorf("github: get teams: %v", err)
}
ident.Groups = groups
}
return ident, nil
}
type user struct {
Name string `json:"name"`
Login string `json:"login"`
ID int `json:"id"`
Email string `json:"email"`
}
// user queries the GitHub API for profile information using the provided client. The HTTP
// client is expected to be constructed by the golang.org/x/oauth2 package, which inserts
// a bearer token as part of the request.
func (c *githubConnector) user(ctx context.Context, client *http.Client) (user, error) {
var u user
req, err := http.NewRequest("GET", baseURL+"/user", nil)
if err != nil {
return u, fmt.Errorf("github: new req: %v", err)
}
req = req.WithContext(ctx)
resp, err := client.Do(req)
if err != nil {
return u, fmt.Errorf("github: get URL %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return u, fmt.Errorf("github: read body: %v", err)
}
return u, fmt.Errorf("%s: %s", resp.Status, body)
}
if err := json.NewDecoder(resp.Body).Decode(&u); err != nil {
return u, fmt.Errorf("failed to decode response: %v", err)
}
return u, nil
}
// teams queries the GitHub API for team membership within a specific organization.
//
// The HTTP passed client is expected to be constructed by the golang.org/x/oauth2 package,
// which inserts a bearer token as part of the request.
func (c *githubConnector) teams(ctx context.Context, client *http.Client, org string) ([]string, error) {
req, err := http.NewRequest("GET", baseURL+"/user/teams", nil)
if err != nil {
return nil, fmt.Errorf("github: new req: %v", err)
}
req = req.WithContext(ctx)
resp, err := client.Do(req)
if err != nil {
return nil, fmt.Errorf("github: get teams: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
@@ -167,7 +249,7 @@ func (c *githubConnector) Groups(identity connector.Identity) ([]string, error)
}
groups := []string{}
for _, team := range teams {
if team.Org.Login == c.org {
if team.Org.Login == org {
groups = append(groups, team.Name)
}
}