// Copyright 2014 The Gogs Authors. All rights reserved. // Copyright 2019 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package method import ( "context" "errors" "net/http" "slices" "strings" "time" actions_model "forgejo.org/models/actions" auth_model "forgejo.org/models/auth" user_model "forgejo.org/models/user" "forgejo.org/modules/log" "forgejo.org/modules/optional" "forgejo.org/modules/setting" "forgejo.org/modules/util" "forgejo.org/modules/web/middleware" "forgejo.org/services/actions" "forgejo.org/services/auth" "forgejo.org/services/auth/source/oauth2" "forgejo.org/services/authz" ) // Ensure the struct implements the interface. var ( _ auth.Method = &OAuth2{} ) // grantAdditionalScopes returns valid scopes coming from grant func grantAdditionalScopes(grantScopes string) string { // scopes_supported from templates/user/auth/oidc_wellknown.tmpl scopesSupported := []string{ "openid", "profile", "email", "groups", } var apiTokenScopes []string for apiTokenScope := range strings.SplitSeq(grantScopes, " ") { if slices.Index(scopesSupported, apiTokenScope) == -1 { apiTokenScopes = append(apiTokenScopes, apiTokenScope) } } if len(apiTokenScopes) == 0 { return "" } var additionalGrantScopes []string allScopes := auth_model.AccessTokenScope("all") for _, apiTokenScope := range apiTokenScopes { grantScope := auth_model.AccessTokenScope(apiTokenScope) if ok, _ := allScopes.HasScope(grantScope); ok { additionalGrantScopes = append(additionalGrantScopes, apiTokenScope) } else if apiTokenScope == "public-only" { additionalGrantScopes = append(additionalGrantScopes, apiTokenScope) } } if len(additionalGrantScopes) > 0 { return strings.Join(additionalGrantScopes, ",") } return "" } // CheckOAuthAccessToken returns uid of user from oauth token // + non default openid scopes requested func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) { if !setting.OAuth2.Enabled { return 0, "" } // JWT tokens require a "." if !strings.Contains(accessToken, ".") { return 0, "" } token, err := oauth2.ParseToken(accessToken, oauth2.DefaultSigningKey) if err != nil { log.Trace("oauth2.ParseToken: %v", err) return 0, "" } var grant *auth_model.OAuth2Grant if grant, err = auth_model.GetOAuth2GrantByID(ctx, token.GrantID); err != nil || grant == nil { return 0, "" } if token.Type != oauth2.TypeAccessToken { return 0, "" } if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) { return 0, "" } grantScopes := grantAdditionalScopes(grant.Scope) return grant.UserID, grantScopes } // CheckTaskIsRunning verifies that the TaskID corresponds to a running task func CheckTaskIsRunning(ctx context.Context, taskID int64) bool { // Verify the task exists task, err := actions_model.GetTaskByID(ctx, taskID) if err != nil { return false } // Verify that it's running return task.Status == actions_model.StatusRunning } // OAuth2 implements the Auth interface and authenticates requests // (API requests only) by looking for an OAuth token in query parameters or the // "Authorization" header. type OAuth2 struct{} // parseToken returns the token from request, and a boolean value // representing whether the token exists or not func parseToken(req *http.Request) (string, bool) { _ = req.ParseForm() if !setting.DisableQueryAuthToken { // Check token. if token := req.Form.Get("token"); token != "" { return token, true } // Check access token. if token := req.Form.Get("access_token"); token != "" { return token, true } } else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" { log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true") } // check header token if auHead := req.Header.Get("Authorization"); auHead != "" { auths := strings.Fields(auHead) if len(auths) == 2 && (util.ASCIIEqualFold(auths[0], "token") || util.ASCIIEqualFold(auths[0], "bearer")) { return auths[1], true } } return "", false } // userIDFromToken returns the user id corresponding to the OAuth token. // It will set 'IsApiToken' to true if the token is an API token and // set 'ApiTokenScope' to the scope of the access token func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) (auth.AuthenticationResult, error) { if tokenSHA == "" { return nil, auth_model.ErrAccessTokenEmpty{} } // Let's see if token is valid. if strings.Contains(tokenSHA, ".") { // First attempt to decode an actions JWT, returning the actions user if taskID, err := actions.TokenToTaskID(tokenSHA); err == nil { if CheckTaskIsRunning(ctx, taskID) { return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: taskID}, nil } } // Otherwise, check if this is an OAuth access token uid, grantScopes := CheckOAuthAccessToken(ctx, tokenSHA) var accessTokenScope optional.Option[auth_model.AccessTokenScope] if uid != 0 { if grantScopes != "" { accessTokenScope = optional.Some(auth_model.AccessTokenScope(grantScopes)) } else { accessTokenScope = optional.Some(auth_model.AccessTokenScopeAll) // fallback to all } } user, err := user_model.GetPossibleUserByID(ctx, uid) if err != nil { if !user_model.IsErrUserNotExist(err) { log.Error("GetUserByName: %v", err) } return nil, err } return &oAuth2JWTAuthenticationResult{user: user, scope: accessTokenScope}, nil } t, err := auth_model.GetAccessTokenBySHA(ctx, tokenSHA) if err != nil { if auth_model.IsErrAccessTokenNotExist(err) { // check task token task, err := actions_model.GetRunningTaskByToken(ctx, tokenSHA) if err == nil && task != nil { log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID) return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}, nil } } else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) { log.Error("GetAccessTokenBySHA: %v", err) return nil, err } return nil, err } if err := t.UpdateLastUsed(ctx); err != nil { log.Error("UpdateLastUsed: %v", err) } if t.UID == 0 { return nil, auth_model.ErrAccessTokenNotExist{} } reducer, err := authz.GetAuthorizationReducerForAccessToken(ctx, t) if err != nil { log.Error("authz.GetAuthorizationReducerForAccessToken: %v", err) return nil, err } u, err := user_model.GetUserByID(ctx, t.UID) if err != nil { log.Error("GetUserByID: %v", err) return nil, err } return &accessTokenAuthenticationResult{user: u, scope: t.Scope, reducer: reducer}, nil } // Verify extracts the user ID from the OAuth token in the query parameters // or the "Authorization" header and returns the corresponding user object for that ID. // If verification is successful returns an existing user object. // Returns nil if verification fails. func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) (auth.AuthenticationResult, error) { // These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) && !isGitRawOrAttachPath(req) && !isArchivePath(req) { return &auth.UnauthenticatedResult{}, nil } token, ok := parseToken(req) if !ok { return &auth.UnauthenticatedResult{}, nil } auth, err := o.userIDFromToken(req.Context(), token) if err != nil { return nil, err } else if auth.User() == nil { // Having successfully found a token, it's now expected that the only valid outcomes are either errors that // result in 401s (if the token wasn't valid), or valid authentication as a user. If we reach here, we've missed // those expected outcomes and somehow returned an unauthenticated response even though a token was provided. return nil, errors.New("unexpected unauthenticated result from userIDFromToken") } log.Trace("OAuth2 Authorization: Logged in user %-v", auth.User()) return auth, nil } func isAuthenticatedTokenRequest(req *http.Request) bool { switch req.URL.Path { case "/login/oauth/userinfo": fallthrough case "/login/oauth/introspect": return true } return false }