feat(oauth): merge pr from https://github.com/portainer/portainer/pull/2515

2025-07-24 07:49:41 +02:00 · 2018-12-30 18:02:22 +02:00 · 2018-12-30 18:02:22 +02:00 · 241a701eca
commit 241a701eca
parent 463b379876
19 changed files with 501 additions and 7 deletions
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@ -17,6 +17,10 @@ type authenticatePayload struct {
 	Password string
 }

+type oauthPayload struct {
+	Code string
+}
+
 type authenticateResponse struct {
 	JWT string `json:"jwt"`
 }
@ -31,6 +35,13 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
 	return nil
 }

+func (payload *oauthPayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Code) {
+		return portainer.Error("Invalid OAuth authorization code")
+	}
+	return nil
+}
+
 func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	if handler.authDisabled {
 		return &httperror.HandlerError{http.StatusServiceUnavailable, "Cannot authenticate user. Portainer was started with the --no-auth flag", ErrAuthDisabled}
@ -82,6 +93,58 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 	return handler.writeToken(w, user)
 }

+func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload oauthPayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if settings.AuthenticationMethod != 3 {
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not being used", err}
+	}
+
+	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
+	}
+
+	username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
+	}
+
+	u, err := handler.UserService.UserByUsername(username)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+	}
+
+	if u == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
+		return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
+	}
+
+	if u == nil {
+		user := &portainer.User{
+			Username: username,
+			Role:     portainer.StandardUserRole,
+		}
+
+		err = handler.UserService.CreateUser(user)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		}
+
+		return handler.writeToken(w, user)
+	}
+
+	return handler.writeToken(w, u)
+}
+
 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
 	err := handler.CryptoService.CompareHashAndData(user.Password, password)
 	if err != nil {