573 lines
17 KiB
Plaintext
573 lines
17 KiB
Plaintext
note
|
|
description: "[
|
|
Generic OAuth Module supporting authentication using different providers.
|
|
]"
|
|
date: "$Date$"
|
|
revision: "$Revision$"
|
|
|
|
class
|
|
CMS_OAUTH_20_MODULE
|
|
|
|
inherit
|
|
CMS_AUTH_MODULE_I
|
|
rename
|
|
module_api as oauth20_api
|
|
redefine
|
|
make,
|
|
filters,
|
|
setup_hooks,
|
|
initialize,
|
|
install,
|
|
oauth20_api
|
|
end
|
|
|
|
CMS_ADMINISTRABLE
|
|
|
|
CMS_HOOK_BLOCK
|
|
|
|
SHARED_EXECUTION_ENVIRONMENT
|
|
export
|
|
{NONE} all
|
|
end
|
|
|
|
REFACTORING_HELPER
|
|
|
|
create
|
|
make
|
|
|
|
feature {NONE} -- Initialization
|
|
|
|
make
|
|
-- Create current module
|
|
do
|
|
Precursor
|
|
version := "1.0"
|
|
description := "OAuth20 module"
|
|
|
|
create root_dir.make_current
|
|
cache_duration := 0
|
|
end
|
|
|
|
feature -- Access
|
|
|
|
name: STRING = "oauth20"
|
|
|
|
feature {CMS_EXECUTION} -- Administration
|
|
|
|
administration: CMS_OAUTH_20_MODULE_ADMINISTRATION
|
|
do
|
|
create Result.make (Current)
|
|
end
|
|
|
|
feature {CMS_API} -- Module Initialization
|
|
|
|
initialize (a_api: CMS_API)
|
|
-- <Precursor>
|
|
local
|
|
l_oauth20_api: like oauth20_api
|
|
l_auth_storage: CMS_OAUTH_20_STORAGE_I
|
|
do
|
|
Precursor (a_api)
|
|
|
|
-- Storage initialization
|
|
if attached a_api.storage.as_sql_storage as l_storage_sql then
|
|
create {CMS_OAUTH_20_STORAGE_SQL} l_auth_storage.make (l_storage_sql)
|
|
else
|
|
-- FIXME: in case of NULL storage, should Current be disabled?
|
|
create {CMS_OAUTH_20_STORAGE_NULL} l_auth_storage
|
|
end
|
|
|
|
-- API initialization
|
|
create l_oauth20_api.make_with_storage (a_api, l_auth_storage)
|
|
oauth20_api := l_oauth20_api
|
|
ensure then
|
|
user_oauth_api_set: oauth20_api /= Void
|
|
end
|
|
|
|
feature {CMS_API} -- Module management
|
|
|
|
install (api: CMS_API)
|
|
local
|
|
l_consumers: LIST [STRING]
|
|
do
|
|
-- Schema
|
|
if attached api.storage.as_sql_storage as l_sql_storage then
|
|
--| Schema
|
|
l_sql_storage.sql_execute_file_script (api.module_resource_location (Current, (create {PATH}.make_from_string ("scripts")).extended ("install.sql")), Void)
|
|
|
|
if l_sql_storage.has_error then
|
|
api.logger.put_error ("Could not initialize database for module [" + name + "]", generating_type)
|
|
else
|
|
-- TODO workaround.
|
|
l_sql_storage.sql_execute_file_script (api.module_resource_location (Current, (create {PATH}.make_from_string ("scripts")).extended ("data.sql")), Void)
|
|
if l_sql_storage.has_error then
|
|
api.logger.put_error ("Could not initialize oauth2_consumers for module [" + name + "]", generating_type)
|
|
else
|
|
-- TODO workaround, until we have an admin module
|
|
l_sql_storage.sql_query ("SELECT name FROM oauth2_consumers;", Void)
|
|
if l_sql_storage.has_error then
|
|
api.logger.put_error ("Could not initialize database for different consumers", generating_type)
|
|
else
|
|
from
|
|
l_sql_storage.sql_start
|
|
create {ARRAYED_LIST [STRING]} l_consumers.make (2)
|
|
until
|
|
l_sql_storage.sql_after
|
|
loop
|
|
if attached l_sql_storage.sql_read_string (1) as l_name then
|
|
l_consumers.force ("oauth2_" + l_name)
|
|
end
|
|
l_sql_storage.sql_forth
|
|
end
|
|
l_sql_storage.sql_finalize
|
|
|
|
across l_consumers as ic loop
|
|
if not l_sql_storage.sql_table_exists (ic.item) then
|
|
if attached l_sql_storage.sql_script_content (api.module_resource_location (Current, (create {PATH}.make_from_string ("scripts")).extended ("oauth2_table.sql.tpl"))) as sql then
|
|
-- FIXME: shouldn't we use a unique table for all oauth providers? or as it is .. one table per oauth provider?
|
|
sql.replace_substring_all ("$table_name", ic.item)
|
|
l_sql_storage.sql_execute_script (sql, Void)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
l_sql_storage.sql_finalize
|
|
|
|
Precursor {CMS_AUTH_MODULE_I}(api) -- Marked as installed.
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
feature {CMS_API, CMS_MODULE_ADMINISTRATION} -- Access: API
|
|
|
|
oauth20_api: detachable CMS_OAUTH_20_API
|
|
-- <Precursor>
|
|
|
|
feature -- Filters
|
|
|
|
filters (a_api: CMS_API): detachable LIST [WSF_FILTER]
|
|
-- Possibly list of Filter's module.
|
|
do
|
|
if attached oauth20_api as l_oauth_api then
|
|
create {ARRAYED_LIST [WSF_FILTER]} Result.make (1)
|
|
Result.extend (create {CMS_OAUTH_20_FILTER}.make (a_api, l_oauth_api))
|
|
end
|
|
end
|
|
|
|
feature -- Access: docs
|
|
|
|
root_dir: PATH
|
|
|
|
cache_duration: INTEGER
|
|
-- Caching duration
|
|
--| 0: disable
|
|
--| -1: cache always valie
|
|
--| nb: cache expires after nb seconds.
|
|
|
|
cache_disabled: BOOLEAN
|
|
do
|
|
Result := cache_duration = 0
|
|
end
|
|
|
|
feature -- Access: auth strategy
|
|
|
|
login_title: STRING = "OAuth"
|
|
-- Module specific login title.
|
|
|
|
login_location: STRING = "account/auth/roc-oauth-login"
|
|
|
|
logout_location: STRING = "account/auth/roc-oauth-logout"
|
|
|
|
is_authenticating (a_response: CMS_RESPONSE): BOOLEAN
|
|
-- <Precursor>
|
|
do
|
|
if
|
|
a_response.is_authenticated and then
|
|
attached oauth20_api as l_oauth20_api and then
|
|
attached a_response.request.cookie (l_oauth20_api.session_token)
|
|
then
|
|
Result := True
|
|
end
|
|
end
|
|
|
|
feature -- Router
|
|
|
|
setup_router (a_router: WSF_ROUTER; a_api: CMS_API)
|
|
-- <Precursor>
|
|
do
|
|
if attached oauth20_api as l_oauth_api then
|
|
a_router.handle ("/" + login_location,
|
|
create {WSF_URI_AGENT_HANDLER}.make (agent handle_login (a_api, ?, ?)), a_router.methods_head_get)
|
|
a_router.handle ("/" + logout_location,
|
|
create {WSF_URI_AGENT_HANDLER}.make (agent handle_logout (a_api, l_oauth_api, ?, ?)),
|
|
a_router.methods_get_post)
|
|
a_router.handle ("/account/auth/login-with-oauth/{" + oauth_callback_path_parameter + "}",
|
|
create {WSF_URI_TEMPLATE_AGENT_HANDLER}.make (agent handle_login_with_oauth (a_api, l_oauth_api, ?, ?)),
|
|
a_router.methods_get_post)
|
|
a_router.handle ("/account/auth/oauth-callback/{" + oauth_callback_path_parameter + "}",
|
|
create {WSF_URI_TEMPLATE_AGENT_HANDLER}.make (agent handle_callback_oauth (a_api, l_oauth_api, ?, ?)),
|
|
a_router.methods_get_post)
|
|
a_router.handle ("/account/auth/oauth-associate",
|
|
create {WSF_URI_TEMPLATE_AGENT_HANDLER}.make (agent handle_associate (a_api, l_oauth_api, ?, ?)),
|
|
a_router.methods_post)
|
|
a_router.handle ("/account/auth/oauth-un-associate",
|
|
create {WSF_URI_TEMPLATE_AGENT_HANDLER}.make (agent handle_un_associate (a_api, l_oauth_api, ?, ?)),
|
|
a_router.methods_post)
|
|
end
|
|
end
|
|
|
|
oauth_callback_path_parameter: STRING = "callback"
|
|
-- Callback path parameter.
|
|
|
|
oauth_code_query_parameter: STRING = "code"
|
|
-- Code query parameter, specific to OAuth protocol.
|
|
-- FIXME: should we have a way to change this value?
|
|
-- : if a OAuth provider is not using "code" query name.
|
|
|
|
feature -- Hooks configuration
|
|
|
|
setup_hooks (a_hooks: CMS_HOOK_CORE_MANAGER)
|
|
-- Module hooks configuration.
|
|
do
|
|
Precursor (a_hooks)
|
|
a_hooks.subscribe_to_block_hook (Current)
|
|
end
|
|
|
|
feature -- Hooks
|
|
|
|
block_list: ITERABLE [like {CMS_BLOCK}.name]
|
|
do
|
|
Result := <<"login", "account">>
|
|
end
|
|
|
|
get_block_view (a_block_id: READABLE_STRING_8; a_response: CMS_RESPONSE)
|
|
do
|
|
if
|
|
a_block_id.is_case_insensitive_equal_general ("login") and then
|
|
a_response.location.starts_with (login_location)
|
|
then
|
|
get_block_view_login (a_block_id, a_response)
|
|
elseif a_block_id.is_case_insensitive_equal_general ("account") and then
|
|
a_response.location.same_string ("account")
|
|
then
|
|
if
|
|
attached smarty_template_block (Current, "account_info", a_response.api) as l_tpl_block and then
|
|
attached a_response.user as l_user
|
|
then
|
|
associate_account (l_user, a_response.values)
|
|
l_tpl_block.set_weight (5)
|
|
a_response.add_block (l_tpl_block, "content")
|
|
else
|
|
debug ("cms")
|
|
a_response.add_warning_message ("Error with block [resources_page]")
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
handle_login (api: CMS_API; req: WSF_REQUEST; res: WSF_RESPONSE)
|
|
local
|
|
r: CMS_RESPONSE
|
|
do
|
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
|
if r.is_authenticated then
|
|
r.add_error_message ("You are already signed in!")
|
|
else
|
|
r.set_optional_content_type ("Login")
|
|
end
|
|
r.execute
|
|
end
|
|
|
|
handle_logout (api: CMS_API; a_oauth20_api: CMS_OAUTH_20_API; req: WSF_REQUEST; res: WSF_RESPONSE)
|
|
local
|
|
r: CMS_RESPONSE
|
|
l_cookie: WSF_COOKIE
|
|
do
|
|
if
|
|
attached api.user as l_user and then
|
|
attached {WSF_STRING} req.cookie (a_oauth20_api.session_token) as l_cookie_token
|
|
then
|
|
-- Logout OAuth
|
|
create l_cookie.make (a_oauth20_api.session_token, l_cookie_token.url_encoded_value)
|
|
l_cookie.set_path ("/")
|
|
l_cookie.set_max_age (-1)
|
|
res.add_cookie (l_cookie)
|
|
api.unset_current_user (req)
|
|
|
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
|
r.set_status_code ({HTTP_CONSTANTS}.found)
|
|
r.set_redirection (req.absolute_script_url (""))
|
|
r.execute
|
|
else
|
|
fixme (generator + ": missing else implementation in handle_logout!")
|
|
end
|
|
end
|
|
|
|
feature {NONE} -- Associate
|
|
|
|
associate_account (a_user: CMS_USER; a_value: CMS_VALUE_TABLE)
|
|
local
|
|
l_associated: LIST [STRING]
|
|
l_not_associated: LIST [STRING]
|
|
do
|
|
if attached oauth20_api as l_oauth_api then
|
|
create {ARRAYED_LIST [STRING]} l_associated.make (1)
|
|
create {ARRAYED_LIST [STRING]} l_not_associated.make (1)
|
|
across l_oauth_api.oauth2_consumers as ic loop
|
|
if attached l_oauth_api.user_oauth2_by_id (a_user.id, ic.item) then
|
|
l_associated.force (ic.item)
|
|
else
|
|
l_not_associated.force (ic.item)
|
|
end
|
|
end
|
|
a_value.force (l_associated, "oauth_associated")
|
|
a_value.force (l_not_associated, "oauth_not_associated")
|
|
end
|
|
end
|
|
|
|
feature {NONE} -- Block views
|
|
|
|
get_block_view_login (a_block_id: READABLE_STRING_8; a_response: CMS_RESPONSE)
|
|
local
|
|
vals: CMS_VALUE_TABLE
|
|
do
|
|
if attached smarty_template_block (Current, a_block_id, a_response.api) as l_tpl_block then
|
|
create vals.make (1)
|
|
-- add the variable to the block
|
|
a_response.api.hooks.invoke_value_table_alter (vals, a_response)
|
|
across
|
|
vals as ic
|
|
loop
|
|
l_tpl_block.set_value (ic.item, ic.key)
|
|
end
|
|
if
|
|
attached oauth20_api as l_auth_api and then
|
|
attached l_auth_api.oauth2_consumers as l_list
|
|
then
|
|
l_tpl_block.set_value (l_list, "oauth_consumers")
|
|
end
|
|
|
|
a_response.add_block (l_tpl_block, "content")
|
|
else
|
|
debug ("cms")
|
|
a_response.add_warning_message ("Error with block [" + a_block_id + "]")
|
|
end
|
|
end
|
|
end
|
|
|
|
|
|
feature -- OAuth2 Login with Provider
|
|
|
|
handle_login_with_oauth (api: CMS_API; a_oauth_api: CMS_OAUTH_20_API; req: WSF_REQUEST; res: WSF_RESPONSE)
|
|
local
|
|
r: CMS_RESPONSE
|
|
l_oauth: CMS_OAUTH_20_WORKFLOW
|
|
do
|
|
if
|
|
attached {WSF_STRING} req.path_parameter (oauth_callback_path_parameter) as p_consumer and then
|
|
attached {CMS_OAUTH_20_CONSUMER} a_oauth_api.oauth_consumer_by_name (p_consumer.value) as l_consumer
|
|
then
|
|
create l_oauth.make (req.server_url, l_consumer)
|
|
if attached l_oauth.authorization_url as l_authorization_url then
|
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
|
r.set_redirection (l_authorization_url)
|
|
r.execute
|
|
else
|
|
create {BAD_REQUEST_ERROR_CMS_RESPONSE} r.make (req, res, api)
|
|
r.set_main_content ("Bad request")
|
|
r.execute
|
|
end
|
|
else
|
|
create {BAD_REQUEST_ERROR_CMS_RESPONSE} r.make (req, res, api)
|
|
r.set_main_content ("Bad request")
|
|
r.execute
|
|
end
|
|
end
|
|
|
|
handle_callback_oauth (api: CMS_API; a_oauth_api: CMS_OAUTH_20_API; req: WSF_REQUEST; res: WSF_RESPONSE)
|
|
local
|
|
r: CMS_RESPONSE
|
|
l_auth: CMS_OAUTH_20_WORKFLOW
|
|
l_user_api: CMS_USER_API
|
|
l_user: CMS_USER
|
|
l_roles: LIST [CMS_USER_ROLE]
|
|
l_cookie: WSF_COOKIE
|
|
es: CMS_AUTHENTICATION_EMAIL_SERVICE
|
|
do
|
|
if
|
|
attached {WSF_STRING} req.path_parameter (oauth_callback_path_parameter) as l_callback and then
|
|
attached {CMS_OAUTH_20_CONSUMER} a_oauth_api.oauth_consumer_by_callback (l_callback.value) as l_consumer and then
|
|
attached {WSF_STRING} req.query_parameter (oauth_code_query_parameter) as l_code
|
|
then
|
|
create l_auth.make (req.server_url, l_consumer)
|
|
l_auth.sign_request (l_code.value)
|
|
if
|
|
attached l_auth.access_token as l_access_token and then
|
|
attached l_auth.user_profile as l_user_profile
|
|
then
|
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
|
-- extract user email
|
|
-- check if the user exist
|
|
l_user_api := api.user_api
|
|
-- 1 if the user exit put it in the context
|
|
if
|
|
attached l_auth.user_email as l_email
|
|
then
|
|
if attached l_user_api.user_by_email (l_email) as p_user then
|
|
-- User with email exist
|
|
if attached a_oauth_api.user_oauth2_by_id (p_user.id, l_consumer.name) then
|
|
-- Update oauth entry
|
|
a_oauth_api.update_user_oauth2 (l_access_token.token, l_user_profile, p_user, l_consumer.name )
|
|
else
|
|
-- create a oauth entry
|
|
a_oauth_api.new_user_oauth2 (l_access_token.token, l_user_profile.to_string_32, p_user, l_consumer.name )
|
|
end
|
|
create l_cookie.make (a_oauth_api.session_token, l_access_token.token)
|
|
l_cookie.set_max_age (l_access_token.expires_in)
|
|
l_cookie.set_path ("/")
|
|
res.add_cookie (l_cookie)
|
|
elseif attached a_oauth_api.user_oauth2_by_email (l_email, l_consumer.name) as p_user then
|
|
a_oauth_api.update_user_oauth2 (l_access_token.token, l_user_profile, p_user, l_consumer.name )
|
|
create l_cookie.make (a_oauth_api.session_token, l_access_token.token)
|
|
l_cookie.set_max_age (l_access_token.expires_in)
|
|
l_cookie.set_path ("/")
|
|
res.add_cookie (l_cookie)
|
|
else
|
|
create {ARRAYED_LIST [CMS_USER_ROLE]} l_roles.make (1)
|
|
l_roles.force (l_user_api.authenticated_user_role)
|
|
|
|
-- Create a new user and oauth entry
|
|
create l_user.make (l_email)
|
|
l_user.set_email (l_email)
|
|
l_user.set_password (new_token) -- generate a random password.
|
|
l_user.set_roles (l_roles)
|
|
l_user.mark_active
|
|
l_user_api.new_user (l_user)
|
|
|
|
-- Add oauth entry
|
|
a_oauth_api.new_user_oauth2 (l_access_token.token, l_user_profile, l_user, l_consumer.name )
|
|
create l_cookie.make (a_oauth_api.session_token, l_access_token.token)
|
|
l_cookie.set_max_age (l_access_token.expires_in)
|
|
l_cookie.set_path ("/")
|
|
res.add_cookie (l_cookie)
|
|
api.set_user (l_user)
|
|
api.record_user_login (l_user)
|
|
|
|
-- Send Email
|
|
create es.make (create {CMS_AUTHENTICATION_EMAIL_SERVICE_PARAMETERS}.make (api))
|
|
write_debug_log (generator + ".handle_callback_oauth: send_contact_welcome_email")
|
|
es.send_contact_welcome_email (l_email, l_user, req.absolute_script_url (""))
|
|
end
|
|
end
|
|
r.set_redirection (r.front_page_url)
|
|
r.execute
|
|
end
|
|
end
|
|
end
|
|
|
|
handle_associate (api: CMS_API; a_oauth_api: CMS_OAUTH_20_API; req: WSF_REQUEST; res: WSF_RESPONSE)
|
|
local
|
|
r: CMS_RESPONSE
|
|
do
|
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
|
|
|
if req.is_post_request_method then
|
|
if
|
|
attached {WSF_STRING} req.form_parameter ("consumer") as l_consumer and then
|
|
attached {WSF_STRING} req.form_parameter ("email") as l_email and then
|
|
attached r.user as l_user
|
|
then
|
|
l_user.set_email (api.utf_8_encoded (l_email.value))
|
|
a_oauth_api.new_user_oauth2 ("none", "none", l_user, l_consumer.value )
|
|
-- TODO send email?
|
|
end
|
|
end
|
|
r.set_redirection (req.absolute_script_url ("/account"))
|
|
r.execute
|
|
end
|
|
|
|
handle_un_associate (api: CMS_API; a_oauth_api: CMS_OAUTH_20_API; req: WSF_REQUEST; res: WSF_RESPONSE)
|
|
local
|
|
r: CMS_RESPONSE
|
|
do
|
|
create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api)
|
|
if req.is_post_request_method then
|
|
if
|
|
attached {WSF_STRING} req.form_parameter ("consumer") as l_consumer and then
|
|
attached r.user as l_user
|
|
then
|
|
a_oauth_api.remove_user_oauth2 (l_user, l_consumer.value)
|
|
-- TODO send email?
|
|
end
|
|
end
|
|
r.set_redirection (req.absolute_script_url ("/account"))
|
|
r.execute
|
|
end
|
|
|
|
|
|
|
|
feature {NONE} -- Token Generation
|
|
|
|
new_token: STRING
|
|
-- Generate a new token activation token
|
|
local
|
|
l_token: STRING
|
|
l_security: SECURITY_PROVIDER
|
|
l_encode: URL_ENCODER
|
|
do
|
|
create l_security
|
|
l_token := l_security.token
|
|
create l_encode
|
|
from until l_token.same_string (l_encode.encoded_string (l_token)) loop
|
|
-- Loop ensure that we have a security token that does not contain characters that need encoding.
|
|
-- We cannot simply to an encode-decode because the email sent to the user will contain an encoded token
|
|
-- but the user will need to use an unencoded token if activation has to be done manually.
|
|
l_token := l_security.token
|
|
end
|
|
Result := l_token
|
|
end
|
|
|
|
feature {NONE} -- Implementation: date and time
|
|
|
|
http_date_format_to_date (s: READABLE_STRING_8): detachable DATE_TIME
|
|
local
|
|
d: HTTP_DATE
|
|
do
|
|
create d.make_from_string (s)
|
|
if not d.has_error then
|
|
Result := d.date_time
|
|
end
|
|
end
|
|
|
|
file_date (p: PATH): DATE_TIME
|
|
require
|
|
path_exists: (create {FILE_UTILITIES}).file_path_exists (p)
|
|
local
|
|
f: RAW_FILE
|
|
do
|
|
create f.make_with_path (p)
|
|
Result := timestamp_to_date (f.date)
|
|
end
|
|
|
|
timestamp_to_date (n: INTEGER): DATE_TIME
|
|
local
|
|
d: HTTP_DATE
|
|
do
|
|
create d.make_from_timestamp (n)
|
|
Result := d.date_time
|
|
end
|
|
|
|
|
|
note
|
|
copyright: "Copyright (c) 1984-2013, Eiffel Software and others"
|
|
license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
|
|
source: "[
|
|
Eiffel Software
|
|
5949 Hollister Ave., Goleta, CA 93117 USA
|
|
Telephone 805-685-1006, Fax 805-685-6869
|
|
Website http://www.eiffel.com
|
|
Customer support http://support.eiffel.com
|
|
]"
|
|
end
|