portainer/api/oauth/oauth.go

package oauth

import (
	"context"
	"io"
	"maps"
	"mime"
	"net/http"
	"net/url"
	"strings"
	"time"

	portainer "github.com/portainer/portainer/api"

	"github.com/golang-jwt/jwt/v4"
	"github.com/pkg/errors"
	"github.com/rs/zerolog/log"
	"github.com/segmentio/encoding/json"
	"golang.org/x/oauth2"
)

// Service represents a service used to authenticate users against an authorization server
type Service struct{}

// NewService returns a pointer to a new instance of this service
func NewService() *Service {
	return &Service{}
}

// Authenticate takes an access code and exchanges it for an access token from portainer OAuthSettings token environment(endpoint).
// On success, it will then return the username and token expiry time associated to authenticated user by fetching this information
// from the resource server and matching it with the user identifier setting.
func (*Service) Authenticate(code string, configuration *portainer.OAuthSettings) (string, error) {
	token, err := GetOAuthToken(code, configuration)
	if err != nil {
		log.Error().Err(err).Msg("failed retrieving oauth token")

		return "", err
	}

	idToken, err := GetIdToken(token)
	if err != nil {
		log.Error().Err(err).Msg("failed parsing id_token")
	}

	resource, err := GetResource(token.AccessToken, configuration.ResourceURI)
	if err != nil {
		log.Error().Err(err).Msg("failed retrieving resource")

		return "", err
	}

	maps.Copy(idToken, resource)

	username, err := GetUsername(resource, configuration.UserIdentifier)
	if err != nil {
		log.Error().Err(err).Msg("failed retrieving username")

		return "", err
	}

	return username, nil
}

func GetOAuthToken(code string, configuration *portainer.OAuthSettings) (*oauth2.Token, error) {
	unescapedCode, err := url.QueryUnescape(code)
	if err != nil {
		return nil, err
	}

	config := buildConfig(configuration)

	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
	defer cancel()

	return config.Exchange(ctx, unescapedCode)
}

// GetIdToken retrieves parsed id_token from the OAuth token response.
// This is necessary for OAuth providers like Azure
// that do not provide information about user groups on the user resource endpoint.
func GetIdToken(token *oauth2.Token) (map[string]any, error) {
	tokenData := make(map[string]any)

	idToken := token.Extra("id_token")
	if idToken == nil {
		return tokenData, nil
	}

	jwtParser := jwt.Parser{
		SkipClaimsValidation: true,
	}

	t, _, err := jwtParser.ParseUnverified(idToken.(string), jwt.MapClaims{})
	if err != nil {
		return tokenData, errors.Wrap(err, "failed to parse id_token")
	}

	if claims, ok := t.Claims.(jwt.MapClaims); ok {
		for k, v := range claims {
			tokenData[k] = v
		}
	}

	return tokenData, nil
}

func GetResource(token string, resourceURI string) (map[string]any, error) {
	req, err := http.NewRequest(http.MethodGet, resourceURI, nil)
	if err != nil {
		return nil, err
	}

	client := &http.Client{}
	req.Header.Set("Authorization", "Bearer "+token)

	resp, err := client.Do(req)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	body, err := io.ReadAll(resp.Body)
	if err != nil {
		return nil, err
	}

	if resp.StatusCode != http.StatusOK {
		return nil, &oauth2.RetrieveError{
			Response: resp,
			Body:     body,
		}
	}

	content, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
	if err != nil {
		return nil, err
	}

	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
		values, err := url.ParseQuery(string(body))
		if err != nil {
			return nil, err
		}

		datamap := make(map[string]any)
		for k, v := range values {
			if len(v) == 0 {
				datamap[k] = ""
			} else {
				datamap[k] = v[0]
			}
		}

		return datamap, nil
	}

	var datamap map[string]any
	if err = json.Unmarshal(body, &datamap); err != nil {
		return nil, err
	}

	return datamap, nil
}

func buildConfig(config *portainer.OAuthSettings) *oauth2.Config {
	return &oauth2.Config{
		ClientID:     config.ClientID,
		ClientSecret: config.ClientSecret,
		RedirectURL:  config.RedirectURI,
		Scopes:       strings.Split(config.Scopes, ","),
		Endpoint: oauth2.Endpoint{
			AuthURL:   config.AuthorizationURI,
			TokenURL:  config.AccessTokenURI,
			AuthStyle: config.AuthStyle,
		},
	}
}