opportunity: official docker image

[nit.git] / contrib / shibuqam / examples / shibuqamoauth.nit

# This file is part of NIT ( http://www.nitlanguage.org ).
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Server that implements an OAuth2-like authentication bound to a `shibuqam` valid server.
#
# The protocol is based on [OAuth2](https://tools.ietf.org/html/rfc6749),
# especially the [Authorization Code Grant](https://tools.ietf.org/html/rfc6749#section-4.1).
#
# # Use as a web service
#
# * User: the human user and its user-agent (browser) that use the client website.
# * Client: the 3rd party web site that need authentication. It owns `https://client.example.com`
# * Server: the public OAuth server. It owns `https://server.example.com`
#
# From the user & client point of view, the process is the following:
#
# 1. The client redirects the user to the server.
# 2. The user authenticates on the server.
# 3. The server redirects the user to the client with a token.
# 4. The client sends the token to the server.
# 5. The server responds with the user information.
#
# ## 1. User Request
#
# Two GET fields
#
# * `redirect_uri`: A full URI that will be used to redirect the user once the authentication is done.
# * `state`: A temporary string used to check that the callback is legitimate.
#
# On request, the service authenticate the user then redirect to the callback with the user informations.
#
# Example:
#
# ~~~raw
# GET https://server.example.com/login?redirect_uri=https://client.example.com/callback&state=secret
# ~~~
#
# ## 3. Response
#
# After the authentication, the response is a 303 redirection to `redirect_uri`
# with the following GET arguments:
#
# * `code:` a temporary token to send-back to the server
# * `state`: the same state to check that the response is not forged.
#
# Example:
#
# ~~~raw
# HTTP/1.1 303 See Other
# Location: https://client.example.com/callback?code=something&state=secret
# ~~~
#
# ## 3b. Errors
#
# If the request is badly formed or if the `redirect_uri` is not authorized,
# then there is no redirection and a text error message is send to the user.
#
# If there is a problem during the authentication, then there is a redirection
# but the GET fields are only `state` and `error=access_denied`.
#
# ## 4. Client request
#
# A single POST field
#
# * `code`: The one you get as the user response.
#
# Example:
#
# ~~~raw
# POST https://server.example.com/info
# code=something
# ~~~
#
# ## 5. Response
#
# The response is a JSON object that is the plain serialization of a `User` instance.
#
# ~~~json
# HTTP/1.1 200 OK
# Content-Type: application/json;charset=UTF-8
#
# {
#       "id": "jdoe",
#       "given_name": "John",
#       "display_name": "John Doe",
#       "email": "doe.john@example.com",
#       "avatar": "https://www.gravatar.com/avatar/4fe50a575e1c28773800a0aa03c62dbe?d=retro"
# }
# ~~~
#
# # To configure and execute
#
# ## Run the server
#
#    shibuqamoauth authorized_list [host] [port]
#
# `authorized_list` is a textfile that registers the list of accepted `redirect_uri`.
#
# Example:
#
# ~~~raw
# https://example.com/foo
# https://other.example.com/
# ~~~
#
# To be authorized, a `redirect_uri` must have one of the line of `authorized_list` as a prefix.
# For instance, the previous `authorized_list` accepts `https://example.com/foo` and `https://example.com/foo/bar`
# but not `https://example.com/bar` nor `https://sub.example.com/foo`.
#
#
# ## Install as a server
#
# A correct `shibuqam` reverse proxy must be configured (see `shibuqam` for details).
# In a full scenario, the server is replaced by:
#
# * Proxy: the public reverse proxy that can do the genuine Shibboleth authentication.
#   It owns `https://server.example.com`
# * Service: the private shibuqamoauth service. It owns a NATed `https://shibuqamoauth.example.com/`
#
# On the first access to the server (user request):
#
# 1. Proxy gets the request
# 2. Proxy does the Shibboleth authentication.
# 3. Proxy enhances the request header.
# 4. Proxy forwards the request to service.
# 5. Service checks that `redir` is authorized.
# 6. Service digs in the enhanced request header to generate a token and associate it to the user.
# 7. Redirect the user to client with the callback and the token.
#
# On the second access to the server (client request):
#
# 1. Proxy gets the request
# 2. Proxy forwards the request to service without authentification (it is not a user).
# 3. Service checks that the token existe and is not expired.
# 4. Service serialize and send the user as in the
#
# The Proxy should only do the authentication on the user request.
# The simplest way is to configure two routes that reverse proxy on the same server.
#
# # Why not using real OAuth2?
#
# OAuth2 is centered about *access_tokens* that allow clients to performs
# a (possibly scoped) set of actions/queries on the behalf of an authenticated user.
#
# In our scenario, there is no action/queries to do once an user is authenticated.
# So we do not delivers *access_tokens* since there is nothing to access once the user is known.
#
# We need only the third-party authentication part of the protocol.
#
# Since we do not have the same goals than the RFC, we also have a simplified protocol.
# Noways, OAuth is mainly a framework and the implementations are very diverse and unfortunately no
# not interoperable anyway.
#
# Here is the specific changes we have:
#
# * no `response_type`: there is a single kind of grant and the two steps are identified by the http method (GET or POST) and the configured routes on the server.
# * no `client_id`: because we do not want to code a db of clients. The `redirect_uri` can be seen as a simple client_id. We have also no way to present the client to the user since we do not control the authorization page of shibboleth since is done by the reverse proxy.
# * no `scope` and no `authorisation_code` since since there is nothing to access. We just get minimal information after the successful shibboleth login. Thus we have nothing more to authorise once the user is authenticated.
# * no `client_secret`: the user information are already public. There is no need to make the code more complex to protect public information.
module shibuqamoauth

import popcorn
import shibuqam
import json

class AuthHandler
        super Handler

        # List of prefixes of authorized redirections.
        var authorized: Array[String]

        # Check is `redir` is an authorized redirection (client)
        fun is_authorized(redir: String): Bool
        do
                for r in authorized do if redir.has_prefix(r) then return true
                return false
        end


        # Associate each `code` issued to the user, to the info intended to the client.
        var infos = new HashMap[String, Info]

        # Remove expired keys
        fun expiration
        do
                var now = get_time
                for k, i in infos do
                        if i.expiration < now then
                                infos.keys.remove(k)
                                print "{i.user.id} -> expired"
                        end
                end
        end

        # Generate a new usable token
        #
        # Not thread safe!
        fun new_token: String
        do
                var token
                loop
                        token = generate_token
                        if not infos.has_key(token) then break
                end
                return token
        end

        redef fun get(http_request, response)
        do
                # GET means a Authorization Request from the user-agent

                # Get the `redirect_uri` parameter, we use it to identify the client
                var redir = http_request.string_arg("redir")
                if redir == null then redir = http_request.string_arg("redirect_uri")
                if redir == null then
                        response.send("No redirect_uri.", 400)
                        return
                end

                # Check if the client is authorized
                if not is_authorized(redir) then
                        response.send("Site not authorized.", 403)
                        return
                end

                # Get the state, we use it to avoid CSRF attacks
                var state = http_request.string_arg("state")
                var res = redir + "?"

                # If we are here, the reverse proxy did the authentication
                # Is there an user?
                var user = http_request.user
                if user == null then
                        print "no user -> {redir}"
                        res += "error=access_denied"
                else
                        # The user is authenticated.
                        print "{user.id} -> {redir}"

                        # We prepare a token (code) that the client will use to get the information.
                        expiration
                        var token = new_token

                        res += "code={token.to_percent_encoding}"

                        var ttl = 10*60*60 # 10 minutes
                        var info = new Info(get_time + ttl, user)
                        infos[token] = info
                end
                if state != null then res += "&state={state.to_percent_encoding}"
                response.redirect res
        end

        redef fun post(http_request, response)
        do
                # POST means an Access Token Request from the client.
                # Unfortunately, we have no access to grant, only informations.
                print http_request.post_args.join(" ; ", ": ")

                expiration

                var code = http_request.string_arg("code")
                if code == null then
                        print "POST: no code"
                        return
                end
                var info = infos.get_or_null(code)
                if info == null then
                        print "POST: bad code {code}"
                        return
                end

                print "{info.user.id} -> retrieved"

                # Drop the code as it is a single use
                infos.keys.remove(code)

                # Send the requested information.
                response.json(info.user)
        end
end

redef class User
        super Jsonable
end

# Information about an authenticated used stored on the server to be given to the client.
class Info
        # Time to live
        var expiration: Int

        # The identified user
        var user: User
end

var host = "localhost"
var port = 3000

if args.is_empty then
        print "usage: shibuqamoauth authorized_list [host] [port]"
        return
end

var list = args[0]
if args.length > 1 then host = args[1]
if args.length > 2 then port = args[2].to_i

var authorized = list.to_path.read_lines
if authorized.is_empty then
        print_error "{list}: not found or empty"
        exit 1
end

var app = new App
app.use("/*", new AuthHandler(authorized))
app.listen(host, port)