mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 02:46:30 +02:00
153 lines
4.3 KiB
Go
153 lines
4.3 KiB
Go
package identity // import "github.com/pomerium/pomerium/internal/identity"
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
|
|
oidc "github.com/coreos/go-oidc"
|
|
"github.com/pomerium/pomerium/internal/httputil"
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
"github.com/pomerium/pomerium/internal/version"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
const (
|
|
defaultGitLabProviderURL = "https://gitlab.com"
|
|
revokeURL = "https://gitlab.com/oauth/revoke"
|
|
defaultGitLabGroupURL = "https://gitlab.com/api/v4/groups"
|
|
)
|
|
|
|
// GitLabProvider is an implementation of the OAuth Provider
|
|
type GitLabProvider struct {
|
|
*Provider
|
|
RevokeURL string `json:"revocation_endpoint"`
|
|
}
|
|
|
|
// NewGitLabProvider returns a new GitLabProvider.
|
|
// https://www.pomerium.io/docs/identity-providers/gitlab.html
|
|
func NewGitLabProvider(p *Provider) (*GitLabProvider, error) {
|
|
ctx := context.Background()
|
|
|
|
if p.ProviderURL == "" {
|
|
p.ProviderURL = defaultGitLabProviderURL
|
|
}
|
|
|
|
var err error
|
|
p.provider, err = oidc.NewProvider(ctx, p.ProviderURL)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(p.Scopes) == 0 {
|
|
p.Scopes = []string{oidc.ScopeOpenID, "api", "read_user", "profile", "email"}
|
|
}
|
|
|
|
p.verifier = p.provider.Verifier(&oidc.Config{ClientID: p.ClientID})
|
|
p.oauth = &oauth2.Config{
|
|
ClientID: p.ClientID,
|
|
ClientSecret: p.ClientSecret,
|
|
Endpoint: p.provider.Endpoint(),
|
|
RedirectURL: p.RedirectURL.String(),
|
|
Scopes: p.Scopes,
|
|
}
|
|
gp := &GitLabProvider{
|
|
Provider: p,
|
|
RevokeURL: revokeURL,
|
|
}
|
|
|
|
if err := p.provider.Claims(&gp); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return gp, nil
|
|
}
|
|
|
|
// Authenticate creates an identity session with gitlab from a authorization code, and makes
|
|
// a call to the userinfo endpoint to get the information of the user.
|
|
func (p GitLabProvider) Authenticate(ctx context.Context, code string) (*sessions.State, error) {
|
|
oauth2Token, err := p.oauth.Exchange(ctx, code)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("internal/gitlab: token exchange failed: %w", err)
|
|
}
|
|
|
|
idToken, err := p.IdentityFromToken(ctx, oauth2Token)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
s, err := sessions.NewStateFromTokens(idToken, oauth2Token, p.RedirectURL.Host)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var claims struct {
|
|
ID string `json:"sub"`
|
|
UserInfoURL string `json:"userinfo_endpoint"`
|
|
}
|
|
|
|
if err := p.provider.Claims(&claims); err == nil && claims.UserInfoURL != "" {
|
|
userInfo, err := p.provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("internal/gitlab: could not retrieve user info %w", err)
|
|
}
|
|
if err := userInfo.Claims(&s); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if p.UserGroupFn != nil {
|
|
s.Groups, err = p.UserGroupFn(ctx, s)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("internal/gitlab: could not retrieve groups %w", err)
|
|
}
|
|
}
|
|
|
|
return s, nil
|
|
}
|
|
|
|
// UserGroups returns a slice of groups for the user.
|
|
//
|
|
// By default, this request returns 20 results at a time because the API results are paginated.
|
|
// https://docs.gitlab.com/ee/api/groups.html#list-groups
|
|
func (p *GitLabProvider) UserGroups(ctx context.Context, s *sessions.State) ([]string, error) {
|
|
if s == nil || s.AccessToken == nil {
|
|
return nil, errors.New("identity/gitlab: user session cannot be empty")
|
|
}
|
|
|
|
var response []struct {
|
|
ID string `json:"id"`
|
|
Name string `json:"name"`
|
|
Path string `json:"path"`
|
|
Description string `json:"description"`
|
|
Visibility string `json:"visibility"`
|
|
}
|
|
headers := map[string]string{"Authorization": fmt.Sprintf("Bearer %s", s.AccessToken.AccessToken)}
|
|
err := httputil.Client(ctx, http.MethodGet, defaultGitLabGroupURL, version.UserAgent(), headers, nil, &response)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var groups []string
|
|
for _, group := range response {
|
|
groups = append(groups, group.Name)
|
|
}
|
|
|
|
return groups, nil
|
|
}
|
|
|
|
// Revoke attempts to revoke session access via revocation endpoint
|
|
// https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#revoking-a-personal-access-token
|
|
func (p *GitLabProvider) Revoke(ctx context.Context, token *oauth2.Token) error {
|
|
params := url.Values{}
|
|
params.Add("access_token", token.AccessToken)
|
|
|
|
err := httputil.Client(ctx, http.MethodPost, p.RevokeURL, version.UserAgent(), nil, params, nil)
|
|
if err != nil && err != httputil.ErrTokenRevoked {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|