mirror of
https://github.com/gitpod-io/gitpod.git
synced 2025-12-08 17:36:30 +00:00
7ecc196baa
* [experiment] Add "Sign in with SSO" to Login Reusing existing parts: * `/complete-auth` page of Dashbaord to forward results of authN flows running in a modal * Adding preliminary UI to the Login view: Org-slug and simple button. * [gitpod-db] get team/org by slug * [gitpod-db] fix OIDCClientConfig.OrganizationID field's type * [oidc] consider returnTo URL * [oidc] consider orgSlug param from start request * [oidc] fix oauth2 clientId propagation * [oidc] fix a flaky test * [onboarding] skip for organizational accounts * Move SSO Login UI into it's own component * adjust validation a bit, add useCallbacks * adding GetOIDCClientConfigByOrgSlug * add table name * removing commented out code --------- Co-authored-by: Brad Harris <bmharris@gmail.com>
96 lines
2.6 KiB
Go
96 lines
2.6 KiB
Go
// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
|
|
// Licensed under the GNU Affero General Public License (AGPL).
|
|
// See License.AGPL.txt in the project root for license information.
|
|
|
|
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
"github.com/gitpod-io/gitpod/common-go/log"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
type OAuth2Result struct {
|
|
ClientConfigID string
|
|
OAuth2Token *oauth2.Token
|
|
ReturnToURL string
|
|
}
|
|
|
|
type StateParam struct {
|
|
// Internal client ID
|
|
ClientConfigID string `json:"clientConfigId"`
|
|
ReturnToURL string `json:"returnTo"`
|
|
}
|
|
|
|
type keyOAuth2Result struct{}
|
|
|
|
func AttachOAuth2ResultToContext(parentContext context.Context, result *OAuth2Result) context.Context {
|
|
childContext := context.WithValue(parentContext, keyOAuth2Result{}, result)
|
|
return childContext
|
|
}
|
|
|
|
func GetOAuth2ResultFromContext(ctx context.Context) *OAuth2Result {
|
|
value, ok := ctx.Value(keyOAuth2Result{}).(*OAuth2Result)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
return value
|
|
}
|
|
|
|
func (s *Service) OAuth2Middleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
config, err := s.GetClientConfigFromCallbackRequest(r)
|
|
if err != nil {
|
|
log.Warn("client config not found: " + err.Error())
|
|
http.Error(rw, "config not found", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
// http-only cookie written during flow start request
|
|
stateCookie, err := r.Cookie(stateCookieName)
|
|
if err != nil {
|
|
http.Error(rw, "state cookie not found", http.StatusBadRequest)
|
|
return
|
|
}
|
|
// the starte param passed back from IdP
|
|
stateParam := r.URL.Query().Get("state")
|
|
if stateParam == "" {
|
|
http.Error(rw, "state param not found", http.StatusBadRequest)
|
|
return
|
|
}
|
|
// on mismatch, obviously there is a client side error
|
|
if stateParam != stateCookie.Value {
|
|
http.Error(rw, "state did not match", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
state, err := s.decodeStateParam(stateParam)
|
|
if err != nil {
|
|
http.Error(rw, "bad state param", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
code := r.URL.Query().Get("code")
|
|
if code == "" {
|
|
http.Error(rw, "code param not found", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
config.OAuth2Config.RedirectURL = getCallbackURL(r.Host)
|
|
oauth2Token, err := config.OAuth2Config.Exchange(r.Context(), code)
|
|
if err != nil {
|
|
http.Error(rw, "failed to exchange token: "+err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
ctx := AttachOAuth2ResultToContext(r.Context(), &OAuth2Result{
|
|
OAuth2Token: oauth2Token,
|
|
ReturnToURL: state.ReturnToURL,
|
|
ClientConfigID: state.ClientConfigID,
|
|
})
|
|
next.ServeHTTP(rw, r.WithContext(ctx))
|
|
})
|
|
}
|