You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
414 lines
11 KiB
414 lines
11 KiB
import { Meteor } from 'meteor/meteor';
|
|
import { Match, check } from 'meteor/check';
|
|
import { Accounts } from 'meteor/accounts-base';
|
|
import { OAuth } from 'meteor/oauth';
|
|
import { HTTP } from 'meteor/http';
|
|
import { ServiceConfiguration } from 'meteor/service-configuration';
|
|
import { Logger } from '../../logger';
|
|
import { Users } from '../../models';
|
|
import { mapRolesFromSSO, updateRolesFromSSO } from './oauth_helpers';
|
|
import _ from 'underscore';
|
|
import { isURL } from '../../utils/lib/isURL';
|
|
import { registerAccessTokenService } from '../../lib/server/oauth/oauth';
|
|
|
|
const logger = new Logger('CustomOAuth');
|
|
|
|
const Services = {};
|
|
const BeforeUpdateOrCreateUserFromExternalService = [];
|
|
|
|
export class CustomOAuth {
|
|
constructor(name, options) {
|
|
logger.debug('Init CustomOAuth', name, options);
|
|
|
|
this.name = name;
|
|
if (!Match.test(this.name, String)) {
|
|
throw new Meteor.Error('CustomOAuth: Name is required and must be String');
|
|
}
|
|
|
|
if (Services[this.name]) {
|
|
Services[this.name].configure(options);
|
|
return;
|
|
}
|
|
|
|
Services[this.name] = this;
|
|
|
|
this.configure(options);
|
|
|
|
this.userAgent = 'Meteor';
|
|
if (Meteor.release) {
|
|
this.userAgent += `/${ Meteor.release }`;
|
|
}
|
|
|
|
Accounts.oauth.registerService(this.name);
|
|
this.registerService();
|
|
this.addHookToProcessUser();
|
|
this.registerAccessTokenService(this.name, this.accessTokenParam);
|
|
}
|
|
|
|
configure(options) {
|
|
if (!Match.test(options, Object)) {
|
|
throw new Meteor.Error('CustomOAuth: Options is required and must be Object');
|
|
}
|
|
|
|
if (!Match.test(options.serverURL, String)) {
|
|
throw new Meteor.Error('CustomOAuth: Options.serverURL is required and must be String');
|
|
}
|
|
|
|
if (!Match.test(options.tokenPath, String)) {
|
|
options.tokenPath = '/oauth/token';
|
|
}
|
|
|
|
if (!Match.test(options.identityPath, String)) {
|
|
options.identityPath = '/me';
|
|
}
|
|
|
|
if (!Match.test(options.accessTokenParam, String)) {
|
|
options.accessTokenParam = 'access_token';
|
|
}
|
|
|
|
this.serverURL = options.serverURL;
|
|
this.tokenPath = options.tokenPath;
|
|
this.identityPath = options.identityPath;
|
|
this.tokenSentVia = options.tokenSentVia;
|
|
this.identityTokenSentVia = options.identityTokenSentVia;
|
|
this.usernameField = (options.usernameField || '').trim();
|
|
this.mergeUsers = options.mergeUsers;
|
|
this.mergeRoles = options.mergeRoles || false;
|
|
this.rolesClaim = options.rolesClaim || 'roles';
|
|
this.accessTokenParam = options.accessTokenParam;
|
|
|
|
if (this.identityTokenSentVia == null || this.identityTokenSentVia === 'default') {
|
|
this.identityTokenSentVia = this.tokenSentVia;
|
|
}
|
|
|
|
if (!isURL(this.tokenPath)) {
|
|
this.tokenPath = this.serverURL + this.tokenPath;
|
|
}
|
|
|
|
if (!isURL(this.identityPath)) {
|
|
this.identityPath = this.serverURL + this.identityPath;
|
|
}
|
|
|
|
if (Match.test(options.addAutopublishFields, Object)) {
|
|
Accounts.addAutopublishFields(options.addAutopublishFields);
|
|
}
|
|
}
|
|
|
|
getAccessToken(query) {
|
|
const config = ServiceConfiguration.configurations.findOne({ service: this.name });
|
|
if (!config) {
|
|
throw new ServiceConfiguration.ConfigError();
|
|
}
|
|
|
|
let response = undefined;
|
|
|
|
const allOptions = {
|
|
headers: {
|
|
'User-Agent': this.userAgent, // http://doc.gitlab.com/ce/api/users.html#Current-user
|
|
Accept: 'application/json',
|
|
},
|
|
params: {
|
|
code: query.code,
|
|
redirect_uri: OAuth._redirectUri(this.name, config),
|
|
grant_type: 'authorization_code',
|
|
state: query.state,
|
|
},
|
|
};
|
|
|
|
// Only send clientID / secret once on header or payload.
|
|
if (this.tokenSentVia === 'header') {
|
|
allOptions.auth = `${ config.clientId }:${ OAuth.openSecret(config.secret) }`;
|
|
} else {
|
|
allOptions.params.client_secret = OAuth.openSecret(config.secret);
|
|
allOptions.params.client_id = config.clientId;
|
|
}
|
|
|
|
try {
|
|
response = HTTP.post(this.tokenPath, allOptions);
|
|
} catch (err) {
|
|
const error = new Error(`Failed to complete OAuth handshake with ${ this.name } at ${ this.tokenPath }. ${ err.message }`);
|
|
throw _.extend(error, { response: err.response });
|
|
}
|
|
|
|
let data;
|
|
if (response.data) {
|
|
data = response.data;
|
|
} else {
|
|
data = JSON.parse(response.content);
|
|
}
|
|
|
|
if (data.error) { // if the http response was a json object with an error attribute
|
|
throw new Error(`Failed to complete OAuth handshake with ${ this.name } at ${ this.tokenPath }. ${ data.error }`);
|
|
} else {
|
|
return data.access_token;
|
|
}
|
|
}
|
|
|
|
getIdentity(accessToken, accessTokenParam) {
|
|
const params = {};
|
|
const headers = {
|
|
'User-Agent': this.userAgent, // http://doc.gitlab.com/ce/api/users.html#Current-user
|
|
};
|
|
|
|
if (this.identityTokenSentVia === 'header') {
|
|
headers.Authorization = `Bearer ${ accessToken }`;
|
|
} else {
|
|
params[accessTokenParam] = accessToken;
|
|
}
|
|
|
|
try {
|
|
const response = HTTP.get(this.identityPath, {
|
|
headers,
|
|
params,
|
|
});
|
|
|
|
let data;
|
|
|
|
if (response.data) {
|
|
data = response.data;
|
|
} else {
|
|
data = JSON.parse(response.content);
|
|
}
|
|
|
|
logger.debug('Identity response', JSON.stringify(data, null, 2));
|
|
|
|
return this.normalizeIdentity(data);
|
|
} catch (err) {
|
|
const error = new Error(`Failed to fetch identity from ${ this.name } at ${ this.identityPath }. ${ err.message }`);
|
|
throw _.extend(error, { response: err.response });
|
|
}
|
|
}
|
|
|
|
registerService() {
|
|
const self = this;
|
|
OAuth.registerService(this.name, 2, null, (query) => {
|
|
const accessToken = self.getAccessToken(query);
|
|
|
|
const identity = self.getIdentity(accessToken, this.accessTokenParam);
|
|
|
|
const serviceData = {
|
|
_OAuthCustom: true,
|
|
accessToken,
|
|
};
|
|
|
|
_.extend(serviceData, identity);
|
|
|
|
const data = {
|
|
serviceData,
|
|
options: {
|
|
profile: {
|
|
name: identity.name,
|
|
},
|
|
},
|
|
};
|
|
|
|
return data;
|
|
});
|
|
}
|
|
|
|
normalizeIdentity(identity) {
|
|
if (identity) {
|
|
// Set 'id' to '_id' for any sources that provide it
|
|
if (identity._id && !identity.id) {
|
|
identity.id = identity._id;
|
|
}
|
|
|
|
// Fix for Reddit
|
|
if (identity.result) {
|
|
identity = identity.result;
|
|
}
|
|
|
|
// Fix WordPress-like identities having 'ID' instead of 'id'
|
|
if (identity.ID && !identity.id) {
|
|
identity.id = identity.ID;
|
|
}
|
|
|
|
// Fix Auth0-like identities having 'user_id' instead of 'id'
|
|
if (identity.user_id && !identity.id) {
|
|
identity.id = identity.user_id;
|
|
}
|
|
|
|
if (identity.CharacterID && !identity.id) {
|
|
identity.id = identity.CharacterID;
|
|
}
|
|
|
|
// Fix Dataporten having 'user.userid' instead of 'id'
|
|
if (identity.user && identity.user.userid && !identity.id) {
|
|
if (identity.user.userid_sec && identity.user.userid_sec[0]) {
|
|
identity.id = identity.user.userid_sec[0];
|
|
} else {
|
|
identity.id = identity.user.userid;
|
|
}
|
|
identity.email = identity.user.email;
|
|
}
|
|
// Fix for Xenforo [BD]API plugin for 'user.user_id; instead of 'id'
|
|
if (identity.user && identity.user.user_id && !identity.id) {
|
|
identity.id = identity.user.user_id;
|
|
identity.email = identity.user.user_email;
|
|
}
|
|
// Fix general 'phid' instead of 'id' from phabricator
|
|
if (identity.phid && !identity.id) {
|
|
identity.id = identity.phid;
|
|
}
|
|
|
|
// Fix Keycloak-like identities having 'sub' instead of 'id'
|
|
if (identity.sub && !identity.id) {
|
|
identity.id = identity.sub;
|
|
}
|
|
|
|
// Fix OpenShift identities where id is in 'metadata' object
|
|
if (!identity.id && identity.metadata && identity.metadata.uid) {
|
|
identity.id = identity.metadata.uid;
|
|
identity.name = identity.fullName;
|
|
}
|
|
|
|
// Fix general 'userid' instead of 'id' from provider
|
|
if (identity.userid && !identity.id) {
|
|
identity.id = identity.userid;
|
|
}
|
|
|
|
// Fix Nextcloud provider
|
|
if (!identity.id && identity.ocs && identity.ocs.data && identity.ocs.data.id) {
|
|
identity.id = identity.ocs.data.id;
|
|
identity.name = identity.ocs.data.displayname;
|
|
identity.email = identity.ocs.data.email;
|
|
}
|
|
|
|
// Fix when authenticating from a meteor app with 'emails' field
|
|
if (!identity.email && (identity.emails && Array.isArray(identity.emails) && identity.emails.length >= 1)) {
|
|
identity.email = identity.emails[0].address ? identity.emails[0].address : undefined;
|
|
}
|
|
}
|
|
|
|
if (this.usernameField) {
|
|
identity.username = this.getUsername(identity);
|
|
}
|
|
|
|
identity.name = this.getName(identity);
|
|
|
|
return identity;
|
|
}
|
|
|
|
retrieveCredential(credentialToken, credentialSecret) {
|
|
return OAuth.retrieveCredential(credentialToken, credentialSecret);
|
|
}
|
|
|
|
getUsername(data) {
|
|
let username = '';
|
|
|
|
username = this.usernameField.split('.').reduce(function(prev, curr) {
|
|
return prev ? prev[curr] : undefined;
|
|
}, data);
|
|
if (!username) {
|
|
throw new Meteor.Error('field_not_found', `Username field "${ this.usernameField }" not found in data`, data);
|
|
}
|
|
return username;
|
|
}
|
|
|
|
getName(identity) {
|
|
const name = identity.name || identity.username || identity.nickname || identity.CharacterName || identity.userName || identity.preferred_username || (identity.user && identity.user.name);
|
|
return name;
|
|
}
|
|
|
|
addHookToProcessUser() {
|
|
BeforeUpdateOrCreateUserFromExternalService.push((serviceName, serviceData/* , options*/) => {
|
|
if (serviceName !== this.name) {
|
|
return;
|
|
}
|
|
|
|
if (serviceData.username) {
|
|
const user = Users.findOneByUsername(serviceData.username);
|
|
if (!user) {
|
|
return;
|
|
}
|
|
|
|
if (this.mergeRoles) {
|
|
updateRolesFromSSO(user, serviceData, this.rolesClaim);
|
|
}
|
|
|
|
// User already created or merged and has identical name as before
|
|
if (user.services && user.services[serviceName] && user.services[serviceName].id === serviceData.id && user.name === serviceData.name) {
|
|
return;
|
|
}
|
|
|
|
if (this.mergeUsers !== true) {
|
|
throw new Meteor.Error('CustomOAuth', `User with username ${ user.username } already exists`);
|
|
}
|
|
|
|
const serviceIdKey = `services.${ serviceName }.id`;
|
|
const update = {
|
|
$set: {
|
|
name: serviceData.name,
|
|
[serviceIdKey]: serviceData.id,
|
|
},
|
|
};
|
|
|
|
Users.update({ _id: user._id }, update);
|
|
}
|
|
});
|
|
|
|
Accounts.validateNewUser((user) => {
|
|
if (!user.services || !user.services[this.name] || !user.services[this.name].id) {
|
|
return true;
|
|
}
|
|
|
|
if (this.usernameField) {
|
|
user.username = this.getUsername(user.services[this.name]);
|
|
}
|
|
|
|
if (this.mergeRoles) {
|
|
user.roles = mapRolesFromSSO(user.services[this.name], this.rolesClaim);
|
|
}
|
|
|
|
return true;
|
|
});
|
|
|
|
}
|
|
|
|
registerAccessTokenService(name, accessTokenParam) {
|
|
const self = this;
|
|
const whitelisted = [
|
|
'id',
|
|
'email',
|
|
'username',
|
|
'name',
|
|
this.rolesClaim,
|
|
];
|
|
|
|
registerAccessTokenService(name, function(options) {
|
|
check(options, Match.ObjectIncluding({
|
|
accessToken: String,
|
|
expiresIn: Match.Integer,
|
|
identity: Match.Maybe(Object),
|
|
}));
|
|
|
|
const identity = options.identity || self.getIdentity(options.accessToken, accessTokenParam);
|
|
|
|
const serviceData = {
|
|
accessToken: options.accessToken,
|
|
expiresAt: (+new Date) + (1000 * parseInt(options.expiresIn, 10)),
|
|
};
|
|
|
|
const fields = _.pick(identity, whitelisted);
|
|
_.extend(serviceData, fields);
|
|
|
|
return {
|
|
serviceData,
|
|
options: {
|
|
profile: {
|
|
name: identity.name,
|
|
},
|
|
},
|
|
};
|
|
});
|
|
}
|
|
}
|
|
|
|
const { updateOrCreateUserFromExternalService } = Accounts;
|
|
Accounts.updateOrCreateUserFromExternalService = function(...args /* serviceName, serviceData, options*/) {
|
|
for (const hook of BeforeUpdateOrCreateUserFromExternalService) {
|
|
hook.apply(this, args);
|
|
}
|
|
|
|
return updateOrCreateUserFromExternalService.apply(this, args);
|
|
};
|
|
|