ccfos
/
nightingale
Not watched
1
0
Fork 0
Code
Releases 20 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 765b3a57fe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '765b3a57fe'
${ noResults }
nightingale/pkg/oidcx/oidc.go

211 lines
4.8 kB
Raw Blame History 

  1. package oidcx

  2. 

  3. import (

  4. 	"context"

  5. 	"fmt"

  6. 	"sync"

  7. 	"time"

  8. 

  9. 	"github.com/ccfos/nightingale/v6/storage"

  10. 

  11. 	oidc "github.com/coreos/go-oidc"

  12. 	"github.com/google/uuid"

  13. 	"github.com/toolkits/pkg/logger"

  14. 	"golang.org/x/oauth2"

  15. )

  16. 

  17. type SsoClient struct {

  18. 	Enable          bool

  19. 	Verifier        *oidc.IDTokenVerifier

  20. 	Config          oauth2.Config

  21. 	SsoAddr         string

  22. 	CallbackAddr    string

  23. 	CoverAttributes bool

  24. 	DisplayName     string

  25. 	Attributes      struct {

  26. 		Username string

  27. 		Nickname string

  28. 		Phone    string

  29. 		Email    string

  30. 	}

  31. 	DefaultRoles []string

  32. 

  33. 	sync.RWMutex

  34. }

  35. 

  36. type Config struct {

  37. 	Enable          bool

  38. 	DisplayName     string

  39. 	RedirectURL     string

  40. 	SsoAddr         string

  41. 	ClientId        string

  42. 	ClientSecret    string

  43. 	CoverAttributes bool

  44. 	Attributes      struct {

  45. 		Nickname string

  46. 		Username string

  47. 		Phone    string

  48. 		Email    string

  49. 	}

  50. 	DefaultRoles []string

  51. }

  52. 

  53. func New(cf Config) (*SsoClient, error) {

  54. 	var s = &SsoClient{}

  55. 	if !cf.Enable {

  56. 		return s, nil

  57. 	}

  58. 	err := s.Reload(cf)

  59. 	return s, err

  60. }

  61. 

  62. func (s *SsoClient) Reload(cf Config) error {

  63. 	s.Lock()

  64. 	defer s.Unlock()

  65. 	if !cf.Enable {

  66. 		s.Enable = cf.Enable

  67. 		return nil

  68. 	}

  69. 

  70. 	if cf.Attributes.Username == "" {

  71. 		cf.Attributes.Username = "sub"

  72. 	}

  73. 

  74. 	s.Enable = cf.Enable

  75. 	s.SsoAddr = cf.SsoAddr

  76. 	s.CallbackAddr = cf.RedirectURL

  77. 	s.CoverAttributes = cf.CoverAttributes

  78. 	s.Attributes.Username = cf.Attributes.Username

  79. 	s.Attributes.Nickname = cf.Attributes.Nickname

  80. 	s.Attributes.Phone = cf.Attributes.Phone

  81. 	s.Attributes.Email = cf.Attributes.Email

  82. 	s.DisplayName = cf.DisplayName

  83. 	s.DefaultRoles = cf.DefaultRoles

  84. 	provider, err := oidc.NewProvider(context.Background(), cf.SsoAddr)

  85. 	if err != nil {

  86. 		return err

  87. 	}

  88. 	oidcConfig := &oidc.Config{

  89. 		ClientID: cf.ClientId,

  90. 	}

  91. 

  92. 	s.Verifier = provider.Verifier(oidcConfig)

  93. 	s.Config = oauth2.Config{

  94. 		ClientID:     cf.ClientId,

  95. 		ClientSecret: cf.ClientSecret,

  96. 		Endpoint:     provider.Endpoint(),

  97. 		RedirectURL:  cf.RedirectURL,

  98. 		Scopes:       []string{oidc.ScopeOpenID, "profile", "email", "phone"},

  99. 	}

  100. 	return nil

  101. }

  102. 

  103. func (s *SsoClient) GetDisplayName() string {

  104. 	s.RLock()

  105. 	defer s.RUnlock()

  106. 	if !s.Enable {

  107. 		return ""

  108. 	}

  109. 

  110. 	return s.DisplayName

  111. }

  112. 

  113. func wrapStateKey(key string) string {

  114. 	return "n9e_oidc_" + key

  115. }

  116. 

  117. // Authorize return the sso authorize location with state

  118. func (s *SsoClient) Authorize(redis storage.Redis, redirect string) (string, error) {

  119. 	s.RLock()

  120. 	defer s.RUnlock()

  121. 

  122. 	state := uuid.New().String()

  123. 	ctx := context.Background()

  124. 

  125. 	err := redis.Set(ctx, wrapStateKey(state), redirect, time.Duration(300*time.Second)).Err()

  126. 	if err != nil {

  127. 		return "", err

  128. 	}

  129. 

  130. 	return s.Config.AuthCodeURL(state), nil

  131. }

  132. 

  133. func fetchRedirect(redis storage.Redis, ctx context.Context, state string) (string, error) {

  134. 	return redis.Get(ctx, wrapStateKey(state)).Result()

  135. }

  136. 

  137. func deleteRedirect(redis storage.Redis, ctx context.Context, state string) error {

  138. 	return redis.Del(ctx, wrapStateKey(state)).Err()

  139. }

  140. 

  141. // Callback 用 code 兑换 accessToken 以及 用户信息,

  142. func (s *SsoClient) Callback(redis storage.Redis, ctx context.Context, code, state string) (*CallbackOutput, error) {

  143. 	ret, err := s.exchangeUser(code)

  144. 	if err != nil {

  145. 		return nil, fmt.Errorf("ilegal user:%v", err)

  146. 	}

  147. 

  148. 	ret.Redirect, err = fetchRedirect(redis, ctx, state)

  149. 	if err != nil {

  150. 		logger.Debugf("get redirect err:%v code:%s state:%s", code, state, err)

  151. 	}

  152. 

  153. 	err = deleteRedirect(redis, ctx, state)

  154. 	if err != nil {

  155. 		logger.Debugf("delete redirect err:%v code:%s state:%s", code, state, err)

  156. 	}

  157. 	return ret, nil

  158. }

  159. 

  160. type CallbackOutput struct {

  161. 	Redirect    string `json:"redirect"`

  162. 	Msg         string `json:"msg"`

  163. 	AccessToken string `json:"accessToken"`

  164. 	Username    string `json:"username"`

  165. 	Nickname    string `json:"nickname"`

  166. 	Phone       string `yaml:"phone"`

  167. 	Email       string `yaml:"email"`

  168. }

  169. 

  170. func (s *SsoClient) exchangeUser(code string) (*CallbackOutput, error) {

  171. 	s.RLock()

  172. 	defer s.RUnlock()

  173. 

  174. 	ctx := context.Background()

  175. 	oauth2Token, err := s.Config.Exchange(ctx, code)

  176. 	if err != nil {

  177. 		return nil, fmt.Errorf("failed to exchange token: %v", err)

  178. 	}

  179. 

  180. 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)

  181. 	if !ok {

  182. 		return nil, fmt.Errorf("no id_token field in oauth2 token. ")

  183. 	}

  184. 

  185. 	idToken, err := s.Verifier.Verify(ctx, rawIDToken)

  186. 	if err != nil {

  187. 		return nil, fmt.Errorf("failed to verify ID Token: %v", err)

  188. 	}

  189. 

  190. 	data := map[string]interface{}{}

  191. 	if err := idToken.Claims(&data); err != nil {

  192. 		return nil, err

  193. 	}

  194. 

  195. 	v := func(k string) string {

  196. 		if in := data[k]; in == nil {

  197. 			return ""

  198. 		} else {

  199. 			return in.(string)

  200. 		}

  201. 	}

  202. 

  203. 	return &CallbackOutput{

  204. 		AccessToken: oauth2Token.AccessToken,

  205. 		Username:    v(s.Attributes.Username),

  206. 		Nickname:    v(s.Attributes.Nickname),

  207. 		Phone:       v(s.Attributes.Phone),

  208. 		Email:       v(s.Attributes.Email),

  209. 	}, nil

  210. }