src-cli/cmd/src/login_oauth.go at 93dc82afd0e6ae55ff8e6572509425f0d437e2ce · sourcegraph/src-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
package main

import (
	"context"
	"fmt"
	"io"
	"net/url"
	"os/exec"
	"runtime"
	"time"

	"github.com/sourcegraph/sourcegraph/lib/errors"
	"github.com/sourcegraph/src-cli/internal/api"
	"github.com/sourcegraph/src-cli/internal/cmderrors"
	"github.com/sourcegraph/src-cli/internal/oauth"
)

var loadStoredOAuthToken = oauth.LoadToken

func runOAuthLogin(ctx context.Context, p loginParams) error {
	client, err := oauthLoginClient(ctx, p)
	if err != nil {
		printLoginProblem(p.out, fmt.Sprintf("OAuth Device flow authentication failed: %s", err))
		fmt.Fprintln(p.out, loginAccessTokenMessage(p.cfg.endpointURL))
		return cmderrors.ExitCode1
	}

	if err := validateCurrentUser(ctx, client, p.out, p.cfg.endpointURL); err != nil {
		return err
	}

	fmt.Fprintln(p.out)
	fmt.Fprint(p.out, "✔︎ Authenticated with OAuth credentials")
	fmt.Fprintln(p.out)
	return nil
}

// oauthLoginClient returns a api.Client with the OAuth token set. It will check secret storage for a token
// and use it if one is present.
// If no token is found, it will start a OAuth Device flow to get a token and storage in secret storage.
func oauthLoginClient(ctx context.Context, p loginParams) (api.Client, error) {
	// if we have a stored token, used it. Otherwise run the device flow
	if token, err := loadStoredOAuthToken(ctx, p.cfg.endpointURL); err == nil {
		return newOAuthAPIClient(p, token), nil
	}

	token, err := runOAuthDeviceFlow(ctx, p.cfg.endpointURL, p.out, p.oauthClient)
	if err != nil {
		return nil, err
	}

	if err := oauth.StoreToken(ctx, token); err != nil {
		fmt.Fprintln(p.out)
		fmt.Fprintf(p.out, "⚠️  Warning: Failed to store token in keyring store: %q. Continuing with this session only.\n", err)
	}

	return newOAuthAPIClient(p, token), nil
}

func newOAuthAPIClient(p loginParams, token *oauth.Token) api.Client {
	return api.NewClient(api.ClientOpts{
		EndpointURL:       p.cfg.endpointURL,
		AdditionalHeaders: p.cfg.additionalHeaders,
		Flags:             p.apiFlags,
		Out:               p.out,
		ProxyURL:          p.cfg.proxyURL,
		ProxyPath:         p.cfg.proxyPath,
		OAuthToken:        token,
	})
}

func runOAuthDeviceFlow(ctx context.Context, endpointURL *url.URL, out io.Writer, client oauth.Client) (*oauth.Token, error) {
	authResp, err := client.Start(ctx, endpointURL, nil)
	if err != nil {
		return nil, err
	}

	authURL := authResp.VerificationURIComplete
	msg := fmt.Sprintf("If your browser did not open automatically, visit %s.", authURL)
	if authURL == "" {
		authURL = authResp.VerificationURI
		msg = fmt.Sprintf("If your browser did not open automatically, visit %s and enter the user code %s", authURL, authResp.DeviceCode)
	}
	_ = openInBrowser(authURL)
	fmt.Fprintln(out)
	fmt.Fprint(out, msg)

	fmt.Fprintln(out)
	fmt.Fprint(out, "Waiting for authorization... ")
	defer fmt.Fprintf(out, "DONE\n\n")

	interval := time.Duration(authResp.Interval) * time.Second
	if interval <= 0 {
		interval = 5 * time.Second
	}

	resp, err := client.Poll(ctx, endpointURL, authResp.DeviceCode, interval, authResp.ExpiresIn)
	if err != nil {
		return nil, err
	}

	token := resp.Token(endpointURL)
	token.ClientID = client.ClientID()
	return token, nil
}

// validateBrowserURL checks that rawURL is a valid HTTP(S) URL to prevent
// command injection via malicious URLs returned by an OAuth server.
func validateBrowserURL(rawURL string) error {
	u, err := url.Parse(rawURL)
	if err != nil {
		return errors.Wrapf(err, "invalid URL: %s", rawURL)
	}
	if u.Scheme != "http" && u.Scheme != "https" {
		return errors.Newf("unsupported URL scheme %q: only http and https are allowed", u.Scheme)
	}
	if u.Host == "" {
		return errors.New("URL has no host")
	}
	return nil
}

func openInBrowser(rawURL string) error {
	if rawURL == "" {
		return nil
	}

	if err := validateBrowserURL(rawURL); err != nil {
		return err
	}

	var cmd *exec.Cmd
	switch runtime.GOOS {
	case "darwin":
		cmd = exec.Command("open", rawURL)
	case "windows":
		cmd = exec.Command("rundll32", "url.dll,OpenURL", rawURL)
	default:
		cmd = exec.Command("xdg-open", rawURL)
	}
	return cmd.Run()
}