164 lines
4.4 KiB
Go
164 lines
4.4 KiB
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"flag"
|
|
"log"
|
|
"net/http"
|
|
"os"
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
const (
|
|
OAUTH_GITLAB_FILE = ".gitlab-oauth-token"
|
|
)
|
|
|
|
var (
|
|
gitlabBaseURL = "https://gitlab.cri.epita.fr"
|
|
gitlabClientID = ""
|
|
gitlabSecret = ""
|
|
gitlaboauth2Config oauth2.Config
|
|
gitlaboidcVerifier *oidc.IDTokenVerifier
|
|
gitlabToken *oauth2.Token
|
|
)
|
|
|
|
func init() {
|
|
flag.StringVar(&gitlabClientID, "gitlab-clientid", gitlabClientID, "ClientID for GitLab's OIDC")
|
|
flag.StringVar(&gitlabSecret, "gitlab-secret", gitlabSecret, "Secret for GitLab's OIDC")
|
|
}
|
|
|
|
func initializeGitLabOIDC(router *gin.Engine, authrouter *gin.RouterGroup, adminrouter *gin.RouterGroup) {
|
|
adminrouter.GET("/auth/gitlabcri", redirectOAuth_GitLab)
|
|
router.GET("/callback/gitlabcri/complete", GitLab_OAuth_complete)
|
|
|
|
if _, err := os.Stat(OAUTH_GITLAB_FILE); err == nil {
|
|
gitlabToken, err = loadOAuth2Token(OAUTH_GITLAB_FILE)
|
|
if err != nil {
|
|
log.Println("Unable to load OAuth2 Token:", err.Error())
|
|
}
|
|
}
|
|
|
|
if gitlabClientID != "" && gitlabSecret != "" {
|
|
provider, err := oidc.NewProvider(context.Background(), gitlabBaseURL)
|
|
if err != nil {
|
|
log.Fatal("Unable to setup oidc:", err)
|
|
}
|
|
|
|
gitlaboauth2Config = oauth2.Config{
|
|
ClientID: gitlabClientID,
|
|
ClientSecret: gitlabSecret,
|
|
RedirectURL: oidcRedirectURL + baseURL + "/callback/gitlabcri/complete",
|
|
|
|
// Discovery returns the OAuth2 endpoints.
|
|
Endpoint: provider.Endpoint(),
|
|
|
|
// "openid" is a required scope for OpenID Connect flows.
|
|
Scopes: []string{"api", "read_repository", "email"},
|
|
}
|
|
|
|
oidcConfig := oidc.Config{
|
|
ClientID: gitlabClientID,
|
|
}
|
|
gitlaboidcVerifier = provider.Verifier(&oidcConfig)
|
|
|
|
authrouter.GET("/api/gitlabcri/repositories", GitLab_getRepositories)
|
|
}
|
|
}
|
|
|
|
func loadOAuth2Token(file string) (*oauth2.Token, error) {
|
|
fd, err := os.Open(file)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer fd.Close()
|
|
|
|
var tok oauth2.Token
|
|
err = json.NewDecoder(fd).Decode(&tok)
|
|
|
|
return &tok, err
|
|
}
|
|
|
|
func saveOAuth2Token(file string, tok *oauth2.Token) error {
|
|
fd, err := os.Create(file)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer fd.Close()
|
|
|
|
return json.NewEncoder(fd).Encode(tok)
|
|
}
|
|
|
|
func redirectOAuth_GitLab(c *gin.Context) {
|
|
session := c.MustGet("Session").(*Session)
|
|
|
|
// Save next parameter
|
|
if len(c.Request.URL.Query().Get("next")) > 0 {
|
|
session.SetKey("gitlab-oidc-source", c.Request.URL.Query().Get("next"))
|
|
}
|
|
|
|
c.Redirect(http.StatusFound, gitlaboauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)))
|
|
}
|
|
|
|
func GitLab_OAuth_complete(c *gin.Context) {
|
|
idsession, err := hex.DecodeString(c.Request.URL.Query().Get("state"))
|
|
if err != nil {
|
|
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
|
|
return
|
|
}
|
|
|
|
session, err := getSession(idsession)
|
|
if err != nil {
|
|
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
|
|
return
|
|
}
|
|
|
|
oauth2Token, err := gitlaboauth2Config.Exchange(c.Request.Context(), c.Request.URL.Query().Get("code"))
|
|
if err != nil {
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Failed to exchange token: " + err.Error()})
|
|
return
|
|
}
|
|
|
|
gitlabToken = oauth2Token
|
|
err = saveOAuth2Token(OAUTH_GITLAB_FILE, oauth2Token)
|
|
if err != nil {
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Unable to save OAuth2 token: " + err.Error()})
|
|
return
|
|
|
|
}
|
|
log.Println("New GitLab OAuth2 session opened")
|
|
|
|
if source, ok := session.GetKey("gitlab-oidc-source"); ok {
|
|
session.DeleteKey("gitlab-oidc-source")
|
|
c.Redirect(http.StatusFound, baseURL+source.(string))
|
|
} else {
|
|
c.Redirect(http.StatusFound, baseURL+"/works")
|
|
}
|
|
session.Update()
|
|
}
|
|
|
|
func GitLab_getRepositories(c *gin.Context) {
|
|
client := gitlaboauth2Config.Client(c.Request.Context(), gitlabToken)
|
|
|
|
req, err := http.NewRequest("GET", gitlabBaseURL+"/api/v4/projects", nil)
|
|
if err != nil {
|
|
log.Println("Unable to create NewRequest before GitLab call: ", err.Error())
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs when performing the GitLab request."})
|
|
return
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
log.Println("Unable to perform the GitLab request: ", err.Error())
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs when performing the GitLab request."})
|
|
return
|
|
}
|
|
|
|
c.DataFromReader(resp.StatusCode, resp.ContentLength, resp.Header.Get("content-type"), resp.Body, nil)
|
|
}
|