nyaa-pantsu/utils/oauth2/helpers.go

package oauth2

import (
	"crypto/rand"
	"crypto/rsa"
	"time"

	"github.com/NyaaPantsu/nyaa/utils/oauth2/storage"

	"github.com/NyaaPantsu/nyaa/config"
	"github.com/NyaaPantsu/nyaa/utils/oauth2/manager"
	"github.com/ory/fosite"
	"github.com/ory/fosite/compose"
	"github.com/ory/fosite/handler/openid"
	"github.com/ory/fosite/token/jwt"
)

// Store This is a storage instance. We will add a client and a user to it so we can use these later on.
var Store *storage.FositeSQLStore

// OauthConfig for oauth2 provider
var OauthConfig *compose.Config

// Strat Because we are using oauth2 and open connect id, we use this little helper to combine the two in one
// variable.
var Strat compose.CommonStrategy

// Oauth2 is the exported oauth provider
var Oauth2 fosite.OAuth2Provider

func init() {
	Store = &storage.FositeSQLStore{
		&manager.SQLManager{&fosite.BCrypt{WorkFactor: 12}},
	}
	OauthConfig = new(compose.Config)
	Strat = compose.CommonStrategy{
		// alternatively you could use:
		//  OAuth2Strategy: compose.NewOAuth2JWTStrategy(MustRSAKey())
		CoreStrategy: compose.NewOAuth2HMACStrategy(OauthConfig, config.OAuthHash),

		// open id connect strategy
		OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(MustRSAKey()),
	}
	Oauth2 = compose.Compose(
		OauthConfig,
		Store,
		Strat,
		nil,

		// enabled handlers
		compose.OAuth2AuthorizeExplicitFactory,
		compose.OAuth2AuthorizeImplicitFactory,
		compose.OAuth2ClientCredentialsGrantFactory,
		compose.OAuth2RefreshTokenGrantFactory,
		compose.OAuth2ResourceOwnerPasswordCredentialsFactory,

		compose.OAuth2TokenRevocationFactory,
		compose.OAuth2TokenIntrospectionFactory,

		// be aware that open id connect factories need to be added after oauth2 factories to work properly.
		compose.OpenIDConnectExplicitFactory,
		compose.OpenIDConnectImplicitFactory,
		compose.OpenIDConnectHybridFactory,
		compose.OpenIDConnectRefreshFactory,
	)
}

// A session is passed from the `/auth` to the `/token` endpoint. You probably want to store data like: "Who made the request",
// "What organization does that person belong to" and so on.
// For our use case, the session will meet the requirements imposed by JWT access tokens, HMAC access tokens and OpenID Connect
// ID Tokens plus a custom field

// NewSession is a helper function for creating a new session. This may look like a lot of code but since we are
// setting up multiple strategies it is a bit longer.
// Usually, you could do:
//
//  session = new(fosite.DefaultSession)
func NewSession(user string, clientURI string) *openid.DefaultSession {
	return &openid.DefaultSession{
		Claims: &jwt.IDTokenClaims{
			Issuer:    "https://nyaa.pantsu.cat/",
			Subject:   user,
			Audience:  clientURI,
			ExpiresAt: time.Now().Add(time.Hour * 6),
			IssuedAt:  time.Now(),
		},
		Headers: &jwt.Headers{
			Extra: make(map[string]interface{}),
		},
	}
}

// MustRSAKey must generate a RSA key or panic!
func MustRSAKey() *rsa.PrivateKey {
	key, err := rsa.GenerateKey(rand.Reader, 1024)
	if err != nil {
		panic(err)
	}
	return key
}
OAuth API [done] (#1275) * Initial Commit for OAuth API This builds and run and return the right error. Need to test it and then adding all users as possible client * Added mising dependency * just compile already... * Fixing template test * Imrpovements Moved db stuff in models Added some tests Added form in modpanel to add/update a client Added controllers for add/update of client * Added Forms + speed improvements Controller oauth client listing + html Controller oauth client delete + messages Messages on comment delete New ES config that disable ES if set to false. Improve load speed on local development Fix a load config bug Fix index admin & translation string sign_out broken by @ewhal * Sanitize empty strig in form array + css Multiple empty array of strings are sanitized for the oauth client create form Added some css for the form display * Upload and Create form works * Fix splitting response types * Removing required on secret when updating * fix travis error * Fix travis template test * Update dependency * Moved to jinzhu instead of azhao * randomizen secret on creation * Final touch on oath api improved display name fix grant form csrf fix login csrf on oauth * Fix gorm test * fix template test * Fixing deleted dependency issue * Make travis faster * Fix typo * Fix csrf for api calls * This shouldn't be exempt * Removing hard coded hash @ewhal Don't forget to replace the hash in tokens.go with another one * Added an example on how to use OAuth middleware * Renamed fosite utils to oauth2 utils 2017-07-28 05:46:40 +02:00			`package oauth2`

			`import (`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"time"`

			`"github.com/NyaaPantsu/nyaa/utils/oauth2/storage"`

			`"github.com/NyaaPantsu/nyaa/config"`
			`"github.com/NyaaPantsu/nyaa/utils/oauth2/manager"`
			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/compose"`
			`"github.com/ory/fosite/handler/openid"`
			`"github.com/ory/fosite/token/jwt"`
			`)`

			`// Store This is a storage instance. We will add a client and a user to it so we can use these later on.`
			`var Store *storage.FositeSQLStore`

			`// OauthConfig for oauth2 provider`
			`var OauthConfig *compose.Config`

			`// Strat Because we are using oauth2 and open connect id, we use this little helper to combine the two in one`
			`// variable.`
			`var Strat compose.CommonStrategy`

			`// Oauth2 is the exported oauth provider`
			`var Oauth2 fosite.OAuth2Provider`

			`func init() {`
			`Store = &storage.FositeSQLStore{`
			`&manager.SQLManager{&fosite.BCrypt{WorkFactor: 12}},`
			`}`
			`OauthConfig = new(compose.Config)`
			`Strat = compose.CommonStrategy{`
			`// alternatively you could use:`
			`// OAuth2Strategy: compose.NewOAuth2JWTStrategy(MustRSAKey())`
			`CoreStrategy: compose.NewOAuth2HMACStrategy(OauthConfig, config.OAuthHash),`

			`// open id connect strategy`
			`OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(MustRSAKey()),`
			`}`
			`Oauth2 = compose.Compose(`
			`OauthConfig,`
			`Store,`
			`Strat,`
			`nil,`

			`// enabled handlers`
			`compose.OAuth2AuthorizeExplicitFactory,`
			`compose.OAuth2AuthorizeImplicitFactory,`
			`compose.OAuth2ClientCredentialsGrantFactory,`
			`compose.OAuth2RefreshTokenGrantFactory,`
			`compose.OAuth2ResourceOwnerPasswordCredentialsFactory,`

			`compose.OAuth2TokenRevocationFactory,`
			`compose.OAuth2TokenIntrospectionFactory,`

			`// be aware that open id connect factories need to be added after oauth2 factories to work properly.`
			`compose.OpenIDConnectExplicitFactory,`
			`compose.OpenIDConnectImplicitFactory,`
			`compose.OpenIDConnectHybridFactory,`
			`compose.OpenIDConnectRefreshFactory,`
			`)`
			`}`

			// A session is passed from the `/auth` to the `/token` endpoint. You probably want to store data like: "Who made the request",
			`// "What organization does that person belong to" and so on.`
			`// For our use case, the session will meet the requirements imposed by JWT access tokens, HMAC access tokens and OpenID Connect`
			`// ID Tokens plus a custom field`

			`// NewSession is a helper function for creating a new session. This may look like a lot of code but since we are`
			`// setting up multiple strategies it is a bit longer.`
			`// Usually, you could do:`
			`//`
			`// session = new(fosite.DefaultSession)`
			`func NewSession(user string, clientURI string) *openid.DefaultSession {`
			`return &openid.DefaultSession{`
			`Claims: &jwt.IDTokenClaims{`
			`Issuer: "https://nyaa.pantsu.cat/",`
			`Subject: user,`
			`Audience: clientURI,`
			`ExpiresAt: time.Now().Add(time.Hour * 6),`
			`IssuedAt: time.Now(),`
			`},`
			`Headers: &jwt.Headers{`
			`Extra: make(map[string]interface{}),`
			`},`
			`}`
			`}`

			`// MustRSAKey must generate a RSA key or panic!`
			`func MustRSAKey() *rsa.PrivateKey {`
			`key, err := rsa.GenerateKey(rand.Reader, 1024)`
			`if err != nil {`
			`panic(err)`
			`}`
			`return key`
			`}`