Big refactoring of PARCOURSMOB - Initial commit

2022-08-11 17:26:55 +02:00
commit 7225d027c9
65 changed files with 10276 additions and 0 deletions
--- a/utils/identification/groups.go
+++ b/utils/identification/groups.go
@@ -0,0 +1,74 @@
+package identification
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	groupsmanagement "git.coopgo.io/coopgo-platform/groups-management/grpcapi"
+)
+
+const GroupKey ContextKey = "group"
+const RolesKey ContextKey = "roles"
+
+func (p *IdentificationProvider) GroupsMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		claims := r.Context().Value(ClaimsKey).(map[string]any)
+
+		session, _ := p.SessionsStore.Get(r, "parcoursmob_session")
+
+		o, ok := session.Values["organization"]
+		if !ok || o == nil {
+			http.Redirect(w, r, "/auth/groups/", http.StatusFound)
+			return
+		}
+
+		org := o.(string)
+
+		claimgroups, ok := claims["groups"].([]any)
+
+		if !ok {
+			fmt.Println("cast issue")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		for _, group := range claimgroups {
+			if group == org {
+
+				request := &groupsmanagement.GetGroupRequest{
+					Id: group.(string),
+				}
+
+				resp, err := p.Services.GRPC.GroupsManagement.GetGroup(context.TODO(), request)
+				if err != nil {
+					delete(session.Values, "organization")
+					session.Save(r, w)
+					http.Redirect(w, r, "/auth/groups/", http.StatusFound)
+					return
+				}
+
+				ctx := context.WithValue(r.Context(), GroupKey, resp.Group.ToStorageType())
+
+				roles := map[string]bool{}
+
+				for _, role := range claimgroups {
+					//TODO handle flexible roles / roles discovery
+					if role == fmt.Sprintf("%s:admin", org) {
+						roles[role.(string)] = true
+					}
+				}
+
+				ctx = context.WithValue(ctx, RolesKey, roles)
+
+				next.ServeHTTP(w, r.WithContext(ctx))
+				return
+			}
+		}
+
+		// Session organization is not in the available groups
+		delete(session.Values, "organization")
+		session.Save(r, w)
+		http.Redirect(w, r, "/auth/groups/", http.StatusFound)
+	})
+}
--- a/utils/identification/oidc.go
+++ b/utils/identification/oidc.go
@@ -0,0 +1,117 @@
+package identification
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/http"
+
+	"git.coopgo.io/coopgo-apps/parcoursmob/services"
+	"github.com/coreos/go-oidc"
+	"github.com/gorilla/sessions"
+	"github.com/spf13/viper"
+	"golang.org/x/oauth2"
+)
+
+type ContextKey string
+
+const IdtokenKey ContextKey = "idtoken"
+const ClaimsKey ContextKey = "claims"
+
+type IdentificationProvider struct {
+	SessionsStore sessions.Store
+	Provider      *oidc.Provider
+	OAuth2Config  oauth2.Config
+	TokenVerifier *oidc.IDTokenVerifier
+	Services      *services.ServicesHandler
+}
+
+func NewIdentificationProvider(cfg *viper.Viper, services *services.ServicesHandler) (*IdentificationProvider, error) {
+	var (
+		providerURL    = cfg.GetString("identification.oidc.provider")
+		clientID       = cfg.GetString("identification.oidc.client_id")
+		clientSecret   = cfg.GetString("identification.oidc.client_secret")
+		redirectURL    = cfg.GetString("identification.oidc.redirect_url")
+		sessionsSecret = cfg.GetString("identification.sessions.secret")
+	)
+
+	provider, err := oidc.NewProvider(context.Background(), providerURL)
+	if err != nil {
+		return nil, err
+	}
+
+	oauth2Config := oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectURL,
+
+		// Discovery returns the OAuth2 endpoints.
+		Endpoint: provider.Endpoint(),
+
+		// "openid" is a required scope for OpenID Connect flows.
+		Scopes: []string{oidc.ScopeOpenID, "groups", "profile"},
+	}
+
+	var store = sessions.NewCookieStore([]byte(sessionsSecret))
+	verifier := provider.Verifier(&oidc.Config{ClientID: oauth2Config.ClientID})
+
+	return &IdentificationProvider{
+		SessionsStore: store,
+		Provider:      provider,
+		OAuth2Config:  oauth2Config,
+		TokenVerifier: verifier,
+		Services:      services,
+	}, nil
+}
+
+func (p *IdentificationProvider) Middleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		session, _ := p.SessionsStore.Get(r, "parcoursmob_session")
+
+		if session.Values["idtoken"] == nil || session.Values["idtoken"] == "" {
+
+			state, err := newState()
+			if err != nil {
+				panic(err)
+			}
+			session.Values["state"] = state
+			session.Save(r, w)
+			http.Redirect(w, r, p.OAuth2Config.AuthCodeURL(state), http.StatusFound)
+			return
+		}
+
+		idtoken, err := p.TokenVerifier.Verify(context.Background(), session.Values["idtoken"].(string))
+		if err != nil {
+			state, err := newState()
+			if err != nil {
+				panic(err)
+			}
+			session.Values["state"] = state
+			delete(session.Values, "idtoken")
+			http.Redirect(w, r, p.OAuth2Config.AuthCodeURL(state), http.StatusFound)
+			return
+		}
+
+		var claims map[string]any
+
+		err = idtoken.Claims(&claims)
+		if err != nil {
+			fmt.Println(err)
+		}
+
+		ctx := context.WithValue(r.Context(), IdtokenKey, idtoken)
+		ctx = context.WithValue(ctx, ClaimsKey, claims)
+
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func newState() (string, error) {
+	b := make([]byte, 16)
+	if _, err := io.ReadFull(rand.Reader, b); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}