Add configurable OAuth instead of hardcoded

Author: skadefro

OpenFlow/src/LoginProvider.ts

@@ -27,7 +27,7 @@ import { DBHelper } from "./DBHelper";
 const safeObjectID = (s: string | number | ObjectID) => ObjectID.isValid(s) ? new ObjectID(s) : null;
 
 const BaseRateLimiter = new RateLimiterMemory({
-    points: 10,
+    points: 40,
     duration: 5,
 });
 

OpenFlow/src/OAuthProvider.ts

@@ -1,24 +1,27 @@
 import * as OAuthServer from "oauth2-server";
 import * as winston from "winston";
 import * as express from "express";
-import { TokenUser } from "openflow-api";
+import { TokenUser, Base } from "openflow-api";
+import { Config } from "./Config";
+import { Crypt } from "./Crypt";
 const Request = OAuthServer.Request;
 const Response = OAuthServer.Response;
 export class OAuthProvider {
     private _logger: winston.Logger;
     private app: express.Express;
     public static instance: OAuthProvider = null;
-    private clients = [{
-        id: 'application',	// TODO: Needed by refresh_token grant, because there is a bug at line 103 in https://github.com/oauthjs/node-oauth2-server/blob/v3.0.1/lib/grant-types/refresh-token-grant-type.js (used client.id instead of client.clientId)
-        clientId: 'application',
-        clientSecret: 'secret',
-        grants: [
-            'password',
-            'refresh_token',
-            'authorization_code'
-        ],
-        redirectUris: []
-    }];
+    // private clients = [{
+    //     id: 'application',	// TODO: Needed by refresh_token grant, because there is a bug at line 103 in https://github.com/oauthjs/node-oauth2-server/blob/v3.0.1/lib/grant-types/refresh-token-grant-type.js (used client.id instead of client.clientId)
+    //     clientId: 'application',
+    //     clientSecret: 'secret',
+    //     grants: [
+    //         'password',
+    //         'refresh_token',
+    //         'authorization_code'
+    //     ],
+    //     redirectUris: []
+    // }];
+    private clients = [];
     private tokens = [];
     private codes = {};
     public oauthServer: any = null;
@@ -39,25 +42,31 @@ export class OAuthProvider {
             });
             (app as any).oauth = instance.oauthServer;
             app.all('/oauth/token', instance.obtainToken.bind(instance));
-            app.get('/oauth/login', (req, res) => {
+            app.get('/oauth/login', async (req, res) => {
+                instance.clients = await Config.db.query<Base>({ _type: "oauthclient" }, null, 10, 0, null, "config", Crypt.rootToken());
+                if (instance.clients == null || instance.clients.length == 0) return res.status(500).json({ message: 'OAuth not configured' });
                 let state = req.params.state;
                 if (state == null) state = encodeURIComponent(req.query.state as any);
                 const access_type = req.query.access_type;
                 const client_id = req.query.client_id;
                 const redirect_uri = req.query.redirect_uri;
                 const response_type = req.query.response_type;
                 const scope = req.query.scope;
+                let client = instance.getClientById(client_id);
                 if (req.user) {
-                    // TODO: Add logic for configurering redirect url's !!!!!!!!
-                    if (instance.clients[0].redirectUris.indexOf(redirect_uri) == -1) {
-                        instance.clients[0].redirectUris.push(redirect_uri);
+                    if (client.redirectUris.length > 0) {
+                        if (client.redirectUris.indexOf(redirect_uri) == -1) {
+                            return res.status(500).json({ message: 'illegal redirect_uri ' + redirect_uri });
+                            // client.redirectUris.push(redirect_uri);
+                        }
                     }
+                    const code = Math.random().toString(36).substr(2, 9);
 
                     instance._logger.info("[OAuth][" + (req.user as any).username + "] /oauth/login " + state);
-                    instance.codes["cc536d98d27750394a87ab9d057016e636a8ac31"] = req.user;
-                    instance.codes["cc536d98d27750394a87ab9d057016e636a8ac31"].redirect_uri = redirect_uri;
-                    // res.redirect(`${GRAFANA_URI}/login/generic_oauth?state=${state}&code=cc536d98d27750394a87ab9d057016e636a8ac31`);
-                    res.redirect(`${redirect_uri}?state=${state}&code=cc536d98d27750394a87ab9d057016e636a8ac31`);
+                    instance.codes[code] = req.user;
+                    instance.codes[code].redirect_uri = redirect_uri;
+                    instance.codes[code].client_id = client_id;
+                    res.redirect(`${redirect_uri}?state=${state}&code=${code}`);
                 } else {
                     instance._logger.info("[OAuth][anon] /oauth/login " + state);
                     res.cookie("originalUrl", req.originalUrl, { maxAge: 900000, httpOnly: true });
@@ -126,18 +135,14 @@ export class OAuthProvider {
                 res.status(err.code || 500).json(err);
             });
     }
-    public getAccessToken(bearerToken) {
+    public async getAccessToken(bearerToken) {
         this._logger.info("[OAuth] getAccessToken " + bearerToken);
-        const tokens = this.tokens.filter((token) => {
-            return token.accessToken === bearerToken;
-        });
+        const tokens = await Config.db.query<Base>({ _type: "token", "accessToken": bearerToken }, null, 10, 0, null, "oauthtokens", Crypt.rootToken());
         return tokens.length ? tokens[0] : false;
     }
-    public getRefreshToken(bearerToken) {
+    public async getRefreshToken(bearerToken) {
         this._logger.info("[OAuth] getRefreshToken " + bearerToken);
-        const tokens = this.tokens.filter((token) => {
-            return token.refreshToken === bearerToken;
-        });
+        const tokens = await Config.db.query<Base>({ _type: "token", "refreshToken": bearerToken }, null, 10, 0, null, "oauthtokens", Crypt.rootToken());
         return tokens.length ? tokens[0] : false;
     }
     public getClient(clientId, clientSecret) {
@@ -147,9 +152,17 @@ export class OAuthProvider {
         });
         return clients.length ? clients[0] : false;
     }
-    public saveToken(token, client, user) {
+    public getClientById(clientId) {
+        this._logger.info("[OAuth] getClientById " + clientId);
+        const clients = this.clients.filter((client) => {
+            return client.clientId === clientId;
+        });
+        return clients.length ? clients[0] : false;
+    }
+
+    public async saveToken(token, client, user) {
         this._logger.info("[OAuth] saveToken " + token);
-        const result = {
+        const result: any = {
             accessToken: token.accessToken,
             access_token: token.accessToken,
             accessTokenExpiresAt: token.accessTokenExpiresAt,
@@ -158,43 +171,50 @@ export class OAuthProvider {
             refresh_token: token.refreshToken,
             refreshTokenExpiresAt: token.refreshTokenExpiresAt,
             userId: user.id,
-
             user: user,
-            client: this.clients[0]
+            client: client,
+            _type: "token"
         };
         this.tokens.push(result);
+        await Config.db.InsertOne(result, "oauthtokens", 0, false, Crypt.rootToken());
         return result;
     }
     saveAuthorizationCode(code, client, user) {
         this._logger.info("[OAuth] saveAuthorizationCode " + code);
-        // const codeToSave: any = this.codes[code];
-        const codeToSave: any = {
-            'authorizationCode': code.authorizationCode,
-            'expiresAt': code.expiresAt,
-            'redirectUri': code.redirectUri,
-            'scope': code.scope,
-            'client': client.id,
-            'user': user.username
-        };
-        this.codes[code] = codeToSave;
-        code = Object.assign({}, code, {
-            'client': client.id,
-            'user': user.username
-        });
+        // // const codeToSave: any = this.codes[code];
+        // const codeToSave: any = {
+        //     'authorizationCode': code.authorizationCode,
+        //     'expiresAt': code.expiresAt,
+        //     'redirectUri': code.redirectUri,
+        //     'scope': code.scope,
+        //     'client': client.id,
+        //     'user': user.username
+        // };
+        // this.codes[code] = codeToSave;
+        // this.revokeAuthorizationCode(code);
+        // code = Object.assign({}, code, {
+        //     'client': client.id,
+        //     'user': user.username
+        // });
         return code;
     }
     getAuthorizationCode(code) {
         this._logger.info("[OAuth] getAuthorizationCode " + code);
         let user: TokenUser = this.codes[code];
+        const client_id: string = this.codes[code].client_id;
         if (user == null) return null;
+        this.revokeAuthorizationCode(code);
         const redirect_uri = (user as any).redirect_uri;
         const expiresAt = new Date();
         expiresAt.setMonth(expiresAt.getMonth() + 1);
-        let role = "Viewer";
         user = TokenUser.From(user);
-        if (user.HasRoleName("admins")) role = "Admin";
-        if (user.HasRoleName("grafana editors")) role = "Editor";
-        if (user.HasRoleName("grafana admins")) role = "Admin";
+        let client = this.getClientById(client_id);
+
+        let role = client.defaultrole;
+        const keys: string[] = Object.keys(client.rolemappings);
+        for (let i = 0; i < keys.length; i++) {
+            if (user.HasRoleName(keys[i])) role = client.rolemappings[keys[i]];
+        }
         const result = {
             code: code,
             client: this.clients[0],
@@ -209,12 +229,11 @@ export class OAuthProvider {
             expiresAt: expiresAt,
             redirectUri: redirect_uri
         }
-        // Viewer, Editor, Admin
-        // return result;
         return result;
     }
     revokeAuthorizationCode(code) {
         this._logger.info("[OAuth] revokeAuthorizationCode " + code);
+        delete this.codes[code];
         return true;
         // const user: TokenUser = this.codes[code];
         // if (user != null) delete this.codes[code];

OpenFlow/src/public/Controllers.ts

@@ -4043,6 +4043,7 @@ export class OAuthClientCtrl extends entityCtrl<Base> {
                 (this.model as any).clientSecret = 'secret';
                 (this.model as any).grants = ['password', 'refresh_token', 'authorization_code'];
                 (this.model as any).redirectUris = [];
+                (this.model as any).defaultrole = "Viewer";
                 (this.model as any).rolemappings = { "admins": "admin", "grafana editors": "Editor", "grafana admins": "Admin" };
             }
         });

OpenFlow/src/public/OAuthClient.html

@@ -69,6 +69,12 @@ <h1 class="pagetitle" translate lib="web">oauthclient</h1>
 
 
 
+    <div class="form-group">
+        <label for="defaultrole" class="col-sm-2 control-label" translate lib="web">defaultrole</label>
+        <div class="col-sm-4">
+            <input ng-model="ctrl.model.defaultrole" class="form-control input-md" ng-disabled="ctrl.loading==true" />
+        </div>
+    </div>
 
     <div class="form-group">
         <label for="rolemappings" class="col-sm-2 control-label" translate lib="web">rolemappings</label>