diff options
Diffstat (limited to 'plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints')
3 files changed, 571 insertions, 0 deletions
diff --git a/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/Auth0.cs b/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/Auth0.cs new file mode 100644 index 0000000..c7512b7 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/Auth0.cs @@ -0,0 +1,195 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.SocialOauth +* File: Auth0.cs +* +* Auth0.cs is part of VNLib.Plugins.Essentials.SocialOauth which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.SocialOauth is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.SocialOauth is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Linq; +using System.Text; +using System.Text.Json; +using System.Threading; +using System.Threading.Tasks; +using System.Collections.Generic; + +using RestSharp; + +using VNLib.Net.Rest.Client; +using VNLib.Hashing; +using VNLib.Hashing.IdentityUtility; +using VNLib.Utils.Logging; +using VNLib.Plugins.Essentials.Accounts; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; + +namespace VNLib.Plugins.Essentials.SocialOauth.Endpoints +{ + + [ConfigurationName("auth0")] + internal sealed class Auth0 : SocialOauthBase + { + + protected override OauthClientConfig Config { get; } + + + private readonly Task<JsonDocument> Auth0VerificationJwk; + + public Auth0(PluginBase plugin, IReadOnlyDictionary<string, JsonElement> config) : base() + { + string keyUrl = config["key_url"].GetString() ?? throw new KeyNotFoundException("Missing Auth0 'key_url' from config"); + + Uri keyUri = new(keyUrl); + + //Get certificate on background thread + Auth0VerificationJwk = Task.Run(() => GetRsaCertificate(keyUri)); + + Config = new("auth0", config) + { + Passwords = plugin.GetPasswords(), + Users = plugin.GetUserManager(), + }; + + InitPathAndLog(Config.EndpointPath, plugin.Log); + + //Load secrets + _ = plugin.DeferTask(async () => + { + //Get id/secret + Task<SecretResult?> secretTask = plugin.TryGetSecretAsync("auth0_client_secret"); + Task<SecretResult?> clientIdTask = plugin.TryGetSecretAsync("auth0_client_id"); + + await Task.WhenAll(secretTask, clientIdTask); + + using SecretResult? secret = await secretTask; + using SecretResult? clientId = await clientIdTask; + + Config.ClientID = clientId?.Result.ToString() ?? throw new KeyNotFoundException("Missing Auth0 client id from config or vault"); + Config.ClientSecret = secret?.Result.ToString() ?? throw new KeyNotFoundException("Missing the Auth0 client secret from config or vault"); + + }, 100); + } + + + private async Task<JsonDocument> GetRsaCertificate(Uri certUri) + { + try + { + Log.Debug("Getting Auth0 signing keys"); + //Get key request + RestRequest keyRequest = new(certUri, Method.Get); + keyRequest.AddHeader("Accept", "application/json"); + + //rent client from pool + using ClientContract client = ClientPool.Lease(); + + RestResponse response = await client.Resource.ExecuteAsync(keyRequest); + + response.ThrowIfError(); + + return JsonDocument.Parse(response.RawBytes); + } + catch (Exception e) + { + Log.Error(e, "Failed to get Auth0 signing keys"); + throw; + } + } + + /* + * Account data may be recovered from the identity token + * and it happens after a call to GetLoginData so + * we do not need to re-verify the token + */ + protected override Task<AccountData?> GetAccountDataAsync(IOAuthAccessState clientAccess, CancellationToken cancellationToken) + { + using JsonWebToken jwt = JsonWebToken.Parse(clientAccess.IdToken); + + //verify signature + + using JsonDocument userData = jwt.GetPayload(); + + if (!userData.RootElement.GetProperty("email_verified").GetBoolean()) + { + return Task.FromResult<AccountData?>(null); + } + + string fullName = userData.RootElement.GetProperty("name").GetString() ?? " "; + + return Task.FromResult<AccountData?>(new AccountData() + { + EmailAddress = userData.RootElement.GetProperty("email").GetString(), + First = fullName.Split(' ')[0], + Last = fullName.Split(' ')[1], + }); + } + + private static string GetUserIdFromPlatform(string userName) + { + /* + * Auth0 uses the format "platoform|{user_id}" for the user id so it should match the + * external platofrm as github and discord endoints also + */ + + return ManagedHash.ComputeHash(userName, HashAlg.SHA1, HashEncodingMode.Hexadecimal); + } + + + private static readonly Task<UserLoginData?> EmptyLoginData = Task.FromResult<UserLoginData?>(null); + + protected override Task<UserLoginData?> GetLoginDataAsync(IOAuthAccessState clientAccess, CancellationToken cancellation) + { + using JsonWebToken jwt = JsonWebToken.Parse(clientAccess.IdToken); + + //Verify the token against the first signing key + if (!jwt.VerifyFromJwk(Auth0VerificationJwk.Result.RootElement.GetProperty("keys").EnumerateArray().First())) + { + return EmptyLoginData; + } + + using JsonDocument userData = jwt.GetPayload(); + + int iat = userData.RootElement.GetProperty("iat").GetInt32(); + int exp = userData.RootElement.GetProperty("exp").GetInt32(); + + string userId = userData.RootElement.GetProperty("sub").GetString() ?? throw new Exception("Missing sub in jwt"); + string audience = userData.RootElement.GetProperty("aud").GetString() ?? throw new Exception("Missing aud in jwt"); + string issuer = userData.RootElement.GetProperty("iss").GetString() ?? throw new Exception("Missing iss in jwt"); + + if(exp < DateTimeOffset.UtcNow.ToUnixTimeSeconds()) + { + //Expired + return EmptyLoginData; + } + + //Verify audience matches client id + if (!Config.ClientID.Equals(audience, StringComparison.Ordinal)) + { + //Invalid audience + return EmptyLoginData; + } + + return Task.FromResult<UserLoginData?>(new UserLoginData() + { + UserId = GetUserIdFromPlatform(userId) + }); + } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/DiscordOauth.cs b/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/DiscordOauth.cs new file mode 100644 index 0000000..441dd9d --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/DiscordOauth.cs @@ -0,0 +1,157 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.SocialOauth +* File: DiscordOauth.cs +* +* DiscordOauth.cs is part of VNLib.Plugins.Essentials.SocialOauth which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.SocialOauth is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.SocialOauth is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Text; +using System.Threading; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; +using System.Text.Json.Serialization; + +using RestSharp; + +using VNLib.Hashing; +using VNLib.Utils.Logging; +using VNLib.Net.Rest.Client; +using VNLib.Plugins.Essentials.Accounts; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; + +namespace VNLib.Plugins.Essentials.SocialOauth.Endpoints +{ + [ConfigurationName("discord")] + internal sealed class DiscordOauth : SocialOauthBase + { + protected override OauthClientConfig Config { get; } + + public DiscordOauth(PluginBase plugin, IReadOnlyDictionary<string, JsonElement> config) : base() + { + Config = new("discord", config) + { + Passwords = plugin.GetPasswords(), + Users = plugin.GetUserManager(), + }; + + InitPathAndLog(Config.EndpointPath, plugin.Log); + + //Load secrets + _ = plugin.DeferTask(async () => + { + //Get id/secret + Task<SecretResult?> clientIdTask = plugin.TryGetSecretAsync("discord_client_id"); + Task<SecretResult?> secretTask = plugin.TryGetSecretAsync("discord_client_secret"); + + await Task.WhenAll(secretTask, clientIdTask); + + using SecretResult? secret = await secretTask; + using SecretResult? clientId = await clientIdTask; + + Config.ClientID = clientId?.Result.ToString() ?? throw new KeyNotFoundException("Missing Discord client id from config or vault"); + Config.ClientSecret = secret?.Result.ToString() ?? throw new KeyNotFoundException("Missing the Discord client secret from config or vault"); + + }, 100); + } + + + private static string GetUserIdFromPlatform(string userName) + { + return ManagedHash.ComputeHash($"discord|{userName}", HashAlg.SHA1, HashEncodingMode.Hexadecimal); + } + + + /* + * Matches the profile endpoint (@me) json object + */ + private sealed class UserProfile + { + [JsonPropertyName("username")] + public string? Username { get; set; } + [JsonPropertyName("id")] + public string? UserID { get; set; } + [JsonPropertyName("url")] + public string? ProfileUrl { get; set; } + [JsonPropertyName("verified")] + public bool Verified { get; set; } + [JsonPropertyName("email")] + public string? EmailAddress { get; set; } + } + + + protected override async Task<AccountData?> GetAccountDataAsync(IOAuthAccessState accessToken, CancellationToken cancellationToken) + { + //Get the user's email address's + RestRequest request = new(Config.UserDataUrl); + //Add authorization token + request.AddHeader("Authorization", $"{accessToken.Type} {accessToken.Token}"); + //Get client from pool + using ClientContract client = ClientPool.Lease(); + //get user's profile data + RestResponse<UserProfile> getProfileResponse = await client.Resource.ExecuteAsync<UserProfile>(request, cancellationToken: cancellationToken); + //Check response + if (!getProfileResponse.IsSuccessful || getProfileResponse.Data == null) + { + Log.Debug("Discord user request responded with code {code}:{data}", getProfileResponse.StatusCode, getProfileResponse.Content); + return null; + } + UserProfile discordProfile = getProfileResponse.Data; + //Make sure the user's account is verified + if (!discordProfile.Verified) + { + return null; + } + return new() + { + EmailAddress = discordProfile.EmailAddress, + First = discordProfile.Username, + }; + } + + protected override async Task<UserLoginData?> GetLoginDataAsync(IOAuthAccessState accessToken, CancellationToken cancellationToken) + { + //Get the user's email address's + RestRequest request = new(Config.UserDataUrl); + //Add authorization token + request.AddHeader("Authorization", $"{accessToken.Type} {accessToken.Token}"); + //Get client from pool + using ClientContract client = ClientPool.Lease(); + //get user's profile data + RestResponse<UserProfile> getProfileResponse = await client.Resource.ExecuteAsync<UserProfile>(request, cancellationToken: cancellationToken); + //Check response + if (!getProfileResponse.IsSuccessful || getProfileResponse.Data?.UserID == null) + { + Log.Debug("Discord user request responded with code {code}:{data}", getProfileResponse.StatusCode, getProfileResponse.Content); + return null; + } + + UserProfile discordProfile = getProfileResponse.Data; + + return new() + { + //Get unique user-id from the discord profile and sha1 hex hash to store in db + UserId = GetUserIdFromPlatform(discordProfile.UserID) + }; + } + } +}
\ No newline at end of file diff --git a/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/GitHubOauth.cs b/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/GitHubOauth.cs new file mode 100644 index 0000000..676f2bb --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.SocialOauth/src/Endpoints/GitHubOauth.cs @@ -0,0 +1,219 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.SocialOauth +* File: GitHubOauth.cs +* +* GitHubOauth.cs is part of VNLib.Plugins.Essentials.SocialOauth which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.SocialOauth is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.SocialOauth is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Text; +using System.Threading; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; +using System.Text.Json.Serialization; + +using RestSharp; + +using VNLib.Hashing; +using VNLib.Utils.Logging; +using VNLib.Net.Rest.Client; +using VNLib.Plugins.Essentials.Accounts; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; + +namespace VNLib.Plugins.Essentials.SocialOauth.Endpoints +{ + [ConfigurationName("github")] + internal sealed partial class GitHubOauth : SocialOauthBase + { + private const string GITHUB_V3_ACCEPT = "application/vnd.github.v3+json"; + + private readonly string UserEmailUrl; + + protected override OauthClientConfig Config { get; } + + public GitHubOauth(PluginBase plugin, IReadOnlyDictionary<string, JsonElement> config) : base() + { + + UserEmailUrl = config["user_email_url"].GetString() ?? throw new KeyNotFoundException("Missing required key 'user_email_url' for github configuration"); + + Config = new("github", config) + { + Passwords = plugin.GetPasswords(), + Users = plugin.GetUserManager(), + }; + + InitPathAndLog(Config.EndpointPath, plugin.Log); + + //Load secrets + _ = plugin.DeferTask(async () => + { + //Get id/secret + Task<SecretResult?> clientIdTask = plugin.TryGetSecretAsync("github_client_id"); + Task<SecretResult?> secretTask = plugin.TryGetSecretAsync("github_client_secret"); + + await Task.WhenAll(secretTask, clientIdTask); + + using SecretResult? secret = await secretTask; + using SecretResult? clientId = await clientIdTask; + + Config.ClientID = clientId?.Result.ToString() ?? throw new KeyNotFoundException("Missing Github client id from config or vault"); + Config.ClientSecret = secret?.Result.ToString() ?? throw new KeyNotFoundException("Missing the Github client secret from config or vault"); + + }, 100); + } + + protected override void StaticClientPoolInitializer(RestClient client) + { + client.UseSerializer<RestSharp.Serializers.Json.SystemTextJsonSerializer>(); + //add accept types of normal json and github json + client.AcceptedContentTypes = new string[2] { "application/json", GITHUB_V3_ACCEPT }; + } + + /* + * Matches the json result from the + */ + private sealed class GithubProfile + { + [JsonPropertyName("login")] + public string? Username { get; set; } + [JsonPropertyName("id")] + public int ID { get; set; } + [JsonPropertyName("node_id")] + public string? NodeID { get; set; } + [JsonPropertyName("avatar_url")] + public string? AvatarUrl { get; set; } + [JsonPropertyName("url")] + public string? ProfileUrl { get; set; } + [JsonPropertyName("type")] + public string? Type { get; set; } + [JsonPropertyName("name")] + public string? FullName { get; set; } + [JsonPropertyName("company")] + public string? Company { get; set; } + } + /* + * Matches the required data from the github email endpoint + */ + private sealed class EmailContainer + { + [JsonPropertyName("email")] + public string? Email { get; set; } + [JsonPropertyName("primary")] + public bool Primary { get; set; } + [JsonPropertyName("verified")] + public bool Verified { get; set; } + } + + private static string GetUserIdFromPlatform(int userId) + { + return ManagedHash.ComputeHash($"github|{userId}", HashAlg.SHA1, HashEncodingMode.Hexadecimal); + } + + protected override async Task<UserLoginData?> GetLoginDataAsync(IOAuthAccessState accessToken, CancellationToken cancellationToken) + { + //Get the user's email address's + RestRequest request = new(Config.UserDataUrl, Method.Get); + + //Add authorization token + request.AddHeader("Authorization", $"{accessToken.Type} {accessToken.Token}"); + + //Get new client from pool + using ClientContract client = ClientPool.Lease(); + + //Exec the get for the profile + RestResponse<GithubProfile> profResponse = await client.Resource.ExecuteAsync<GithubProfile>(request, cancellationToken); + + if (!profResponse.IsSuccessful || profResponse.Data == null || profResponse.Data.ID < 100) + { + Log.Debug("Github login data attempt responded with status code {code}", profResponse.StatusCode); + return null; + } + + //Return login data + return new() + { + //User-id is just the SHA 1 + UserId = GetUserIdFromPlatform(profResponse.Data.ID) + }; + } + + protected override async Task<AccountData?> GetAccountDataAsync(IOAuthAccessState accessToken, CancellationToken cancellationToken = default) + { + AccountData? accountData = null; + //Get the user's email address's + RestRequest request = new(UserEmailUrl, Method.Get); + //Add authorization token + request.AddHeader("Authorization", $"{accessToken.Type} {accessToken.Token}"); + + using ClientContract client = ClientPool.Lease(); + + //get user's emails + RestResponse<EmailContainer[]> getEmailResponse = await client.Resource.ExecuteAsync<EmailContainer[]>(request, cancellationToken: cancellationToken); + //Check status + if (getEmailResponse.IsSuccessful && getEmailResponse.Data != null) + { + //Filter emails addresses + foreach (EmailContainer email in getEmailResponse.Data) + { + //Capture the first primary email address and make sure its verified + if (email.Primary && email.Verified) + { + accountData = new() + { + //store email on current profile + EmailAddress = email.Email + }; + goto Continue; + } + } + //No primary email found + return null; + } + else + { + Log.Debug("Github account data request failed but GH responded with status code {code}", getEmailResponse.StatusCode); + return null; + } + Continue: + //We need to get the user's profile in order to create a new account + request = new(Config.UserDataUrl, Method.Get); + //Add authorization token + request.AddHeader("Authorization", $"{accessToken.Type} {accessToken.Token}"); + //Exec the get for the profile + RestResponse<GithubProfile> profResponse = await client.Resource.ExecuteAsync<GithubProfile>(request, cancellationToken); + if (!profResponse.IsSuccessful || profResponse.Data == null) + { + Log.Debug("Github account data request failed but GH responded with status code {code}", profResponse.StatusCode); + return null; + } + + //Get the user's name from gh profile + string[] names = profResponse.Data.FullName!.Split(" ", StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries); + + //setup the user's profile data + accountData.First = names.Length > 0 ? names[0] : string.Empty; + accountData.Last = names.Length > 1 ? names[1] : string.Empty; + return accountData; + } + + } +}
\ No newline at end of file |