pollymc/libraries/katabasis/src/DeviceFlow.cpp

452 lines
15 KiB
C++

#include <QList>
#include <QPair>
#include <QDebug>
#include <QTcpServer>
#include <QMap>
#include <QNetworkRequest>
#include <QNetworkReply>
#include <QNetworkAccessManager>
#include <QDateTime>
#include <QCryptographicHash>
#include <QTimer>
#include <QVariantMap>
#include <QUuid>
#include <QDataStream>
#include <QUrlQuery>
#include "katabasis/DeviceFlow.h"
#include "katabasis/PollServer.h"
#include "katabasis/Globals.h"
#include "JsonResponse.h"
namespace {
// ref: https://tools.ietf.org/html/rfc8628#section-3.2
// Exception: Google sign-in uses "verification_url" instead of "*_uri" - we'll accept both.
bool hasMandatoryDeviceAuthParams(const QVariantMap& params)
{
if (!params.contains(Katabasis::OAUTH2_DEVICE_CODE))
return false;
if (!params.contains(Katabasis::OAUTH2_USER_CODE))
return false;
if (!(params.contains(Katabasis::OAUTH2_VERIFICATION_URI) || params.contains(Katabasis::OAUTH2_VERIFICATION_URL)))
return false;
if (!params.contains(Katabasis::OAUTH2_EXPIRES_IN))
return false;
return true;
}
QByteArray createQueryParameters(const QList<Katabasis::RequestParameter> &parameters) {
QByteArray ret;
bool first = true;
for( auto & h: parameters) {
if (first) {
first = false;
} else {
ret.append("&");
}
ret.append(QUrl::toPercentEncoding(h.name) + "=" + QUrl::toPercentEncoding(h.value));
}
return ret;
}
}
namespace Katabasis {
DeviceFlow::DeviceFlow(Options & opts, Token & token, QObject *parent, QNetworkAccessManager *manager) : QObject(parent), token_(token) {
manager_ = manager ? manager : new QNetworkAccessManager(this);
qRegisterMetaType<QNetworkReply::NetworkError>("QNetworkReply::NetworkError");
options_ = opts;
}
bool DeviceFlow::linked() {
return token_.validity != Validity::None;
}
void DeviceFlow::setLinked(bool v) {
qDebug() << "DeviceFlow::setLinked:" << (v? "true": "false");
token_.validity = v ? Validity::Certain : Validity::None;
}
void DeviceFlow::updateActivity(Activity activity)
{
if(activity_ == activity) {
return;
}
activity_ = activity;
switch(activity) {
case Katabasis::Activity::Idle:
case Katabasis::Activity::LoggingIn:
case Katabasis::Activity::LoggingOut:
case Katabasis::Activity::Refreshing:
// non-terminal states...
break;
case Katabasis::Activity::FailedSoft:
// terminal state, tokens did not change
break;
case Katabasis::Activity::FailedHard:
case Katabasis::Activity::FailedGone:
// terminal state, tokens are invalid
token_ = Token();
break;
case Katabasis::Activity::Succeeded:
setLinked(true);
break;
}
emit activityChanged(activity_);
}
QString DeviceFlow::token() {
return token_.token;
}
void DeviceFlow::setToken(const QString &v) {
token_.token = v;
}
QVariantMap DeviceFlow::extraTokens() {
return token_.extra;
}
void DeviceFlow::setExtraTokens(QVariantMap extraTokens) {
token_.extra = extraTokens;
}
void DeviceFlow::setPollServer(PollServer *server)
{
if (pollServer_)
pollServer_->deleteLater();
pollServer_ = server;
}
PollServer *DeviceFlow::pollServer() const
{
return pollServer_;
}
QVariantMap DeviceFlow::extraRequestParams()
{
return extraReqParams_;
}
void DeviceFlow::setExtraRequestParams(const QVariantMap &value)
{
extraReqParams_ = value;
}
QString DeviceFlow::grantType()
{
if (!grantType_.isEmpty())
return grantType_;
return OAUTH2_GRANT_TYPE_DEVICE;
}
void DeviceFlow::setGrantType(const QString &value)
{
grantType_ = value;
}
// First get the URL and token to display to the user
void DeviceFlow::login() {
qDebug() << "DeviceFlow::link";
updateActivity(Activity::LoggingIn);
setLinked(false);
setToken("");
setExtraTokens(QVariantMap());
setRefreshToken(QString());
setExpires(QDateTime());
QList<RequestParameter> parameters;
parameters.append(RequestParameter(OAUTH2_CLIENT_ID, options_.clientIdentifier.toUtf8()));
parameters.append(RequestParameter(OAUTH2_SCOPE, options_.scope.toUtf8()));
QByteArray payload = createQueryParameters(parameters);
QUrl url(options_.authorizationUrl);
QNetworkRequest deviceRequest(url);
deviceRequest.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
QNetworkReply *tokenReply = manager_->post(deviceRequest, payload);
connect(tokenReply, &QNetworkReply::finished, this, &DeviceFlow::onDeviceAuthReplyFinished, Qt::QueuedConnection);
}
// Then, once we get them, present them to the user
void DeviceFlow::onDeviceAuthReplyFinished()
{
qDebug() << "DeviceFlow::onDeviceAuthReplyFinished";
QNetworkReply *tokenReply = qobject_cast<QNetworkReply *>(sender());
if (!tokenReply)
{
qDebug() << "DeviceFlow::onDeviceAuthReplyFinished: reply is null";
return;
}
if (tokenReply->error() == QNetworkReply::NoError) {
QByteArray replyData = tokenReply->readAll();
// Dump replyData
// SENSITIVE DATA in RelWithDebInfo or Debug builds
//qDebug() << "DeviceFlow::onDeviceAuthReplyFinished: replyData\n";
//qDebug() << QString( replyData );
QVariantMap params = parseJsonResponse(replyData);
// Dump tokens
qDebug() << "DeviceFlow::onDeviceAuthReplyFinished: Tokens returned:\n";
foreach (QString key, params.keys()) {
// SENSITIVE DATA in RelWithDebInfo or Debug builds, so it is truncated first
qDebug() << key << ": "<< params.value( key ).toString();
}
// Check for mandatory parameters
if (hasMandatoryDeviceAuthParams(params)) {
qDebug() << "DeviceFlow::onDeviceAuthReplyFinished: Device auth request response";
const QString userCode = params.take(OAUTH2_USER_CODE).toString();
QUrl uri = params.take(OAUTH2_VERIFICATION_URI).toUrl();
if (uri.isEmpty())
uri = params.take(OAUTH2_VERIFICATION_URL).toUrl();
if (params.contains(OAUTH2_VERIFICATION_URI_COMPLETE))
emit openBrowser(params.take(OAUTH2_VERIFICATION_URI_COMPLETE).toUrl());
bool ok = false;
int expiresIn = params[OAUTH2_EXPIRES_IN].toInt(&ok);
if (!ok) {
qWarning() << "DeviceFlow::startPollServer: No expired_in parameter";
updateActivity(Activity::FailedHard);
return;
}
emit showVerificationUriAndCode(uri, userCode, expiresIn);
startPollServer(params, expiresIn);
} else {
qWarning() << "DeviceFlow::onDeviceAuthReplyFinished: Mandatory parameters missing from response";
updateActivity(Activity::FailedHard);
}
}
tokenReply->deleteLater();
}
// Spin up polling for the user completing the login flow out of band
void DeviceFlow::startPollServer(const QVariantMap &params, int expiresIn)
{
qDebug() << "DeviceFlow::startPollServer: device_ and user_code expires in" << expiresIn << "seconds";
QUrl url(options_.accessTokenUrl);
QNetworkRequest authRequest(url);
authRequest.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
const QString deviceCode = params[OAUTH2_DEVICE_CODE].toString();
const QString grantType = grantType_.isEmpty() ? OAUTH2_GRANT_TYPE_DEVICE : grantType_;
QList<RequestParameter> parameters;
parameters.append(RequestParameter(OAUTH2_CLIENT_ID, options_.clientIdentifier.toUtf8()));
if ( !options_.clientSecret.isEmpty() ) {
parameters.append(RequestParameter(OAUTH2_CLIENT_SECRET, options_.clientSecret.toUtf8()));
}
parameters.append(RequestParameter(OAUTH2_CODE, deviceCode.toUtf8()));
parameters.append(RequestParameter(OAUTH2_GRANT_TYPE, grantType.toUtf8()));
QByteArray payload = createQueryParameters(parameters);
PollServer * pollServer = new PollServer(manager_, authRequest, payload, expiresIn, this);
if (params.contains(OAUTH2_INTERVAL)) {
bool ok = false;
int interval = params[OAUTH2_INTERVAL].toInt(&ok);
if (ok) {
pollServer->setInterval(interval);
}
}
connect(pollServer, &PollServer::verificationReceived, this, &DeviceFlow::onVerificationReceived);
connect(pollServer, &PollServer::serverClosed, this, &DeviceFlow::serverHasClosed);
setPollServer(pollServer);
pollServer->startPolling();
}
// Once the user completes the flow, update the internal state and report it to observers
void DeviceFlow::onVerificationReceived(const QMap<QString, QString> response) {
qDebug() << "DeviceFlow::onVerificationReceived: Emitting closeBrowser()";
emit closeBrowser();
if (response.contains("error")) {
qWarning() << "DeviceFlow::onVerificationReceived: Verification failed:" << response;
updateActivity(Activity::FailedHard);
return;
}
// Check for mandatory tokens
if (response.contains(OAUTH2_ACCESS_TOKEN)) {
qDebug() << "DeviceFlow::onVerificationReceived: Access token returned for implicit or device flow";
setToken(response.value(OAUTH2_ACCESS_TOKEN));
if (response.contains(OAUTH2_EXPIRES_IN)) {
bool ok = false;
int expiresIn = response.value(OAUTH2_EXPIRES_IN).toInt(&ok);
if (ok) {
qDebug() << "DeviceFlow::onVerificationReceived: Token expires in" << expiresIn << "seconds";
setExpires(QDateTime::currentDateTimeUtc().addSecs(expiresIn));
}
}
if (response.contains(OAUTH2_REFRESH_TOKEN)) {
setRefreshToken(response.value(OAUTH2_REFRESH_TOKEN));
}
updateActivity(Activity::Succeeded);
} else {
qWarning() << "DeviceFlow::onVerificationReceived: Access token missing from response for implicit or device flow";
updateActivity(Activity::FailedHard);
}
}
// Or if the flow fails or the polling times out, update the internal state with error and report it to observers
void DeviceFlow::serverHasClosed(bool paramsfound)
{
if ( !paramsfound ) {
// server has probably timed out after receiving first response
updateActivity(Activity::FailedHard);
}
// poll server is not re-used for later auth requests
setPollServer(NULL);
}
void DeviceFlow::logout() {
qDebug() << "DeviceFlow::unlink";
updateActivity(Activity::LoggingOut);
// FIXME: implement logout flows... if they exist
token_ = Token();
updateActivity(Activity::FailedHard);
}
QDateTime DeviceFlow::expires() {
return token_.notAfter;
}
void DeviceFlow::setExpires(QDateTime v) {
token_.notAfter = v;
}
QString DeviceFlow::refreshToken() {
return token_.refresh_token;
}
void DeviceFlow::setRefreshToken(const QString &v) {
#ifndef NDEBUG
qDebug() << "DeviceFlow::setRefreshToken" << v << "...";
#endif
token_.refresh_token = v;
}
namespace {
QByteArray buildRequestBody(const QMap<QString, QString> &parameters) {
QByteArray body;
bool first = true;
foreach (QString key, parameters.keys()) {
if (first) {
first = false;
} else {
body.append("&");
}
QString value = parameters.value(key);
body.append(QUrl::toPercentEncoding(key) + QString("=").toUtf8() + QUrl::toPercentEncoding(value));
}
return body;
}
}
bool DeviceFlow::refresh() {
qDebug() << "DeviceFlow::refresh: Token: ..." << refreshToken().right(7);
updateActivity(Activity::Refreshing);
if (refreshToken().isEmpty()) {
qWarning() << "DeviceFlow::refresh: No refresh token";
onRefreshError(QNetworkReply::AuthenticationRequiredError, nullptr);
return false;
}
if (options_.accessTokenUrl.isEmpty()) {
qWarning() << "DeviceFlow::refresh: Refresh token URL not set";
onRefreshError(QNetworkReply::AuthenticationRequiredError, nullptr);
return false;
}
QNetworkRequest refreshRequest(options_.accessTokenUrl);
refreshRequest.setHeader(QNetworkRequest::ContentTypeHeader, MIME_TYPE_XFORM);
QMap<QString, QString> parameters;
parameters.insert(OAUTH2_CLIENT_ID, options_.clientIdentifier);
if ( !options_.clientSecret.isEmpty() ) {
parameters.insert(OAUTH2_CLIENT_SECRET, options_.clientSecret);
}
parameters.insert(OAUTH2_REFRESH_TOKEN, refreshToken());
parameters.insert(OAUTH2_GRANT_TYPE, OAUTH2_REFRESH_TOKEN);
QByteArray data = buildRequestBody(parameters);
QNetworkReply *refreshReply = manager_->post(refreshRequest, data);
timedReplies_.add(refreshReply);
connect(refreshReply, &QNetworkReply::finished, this, &DeviceFlow::onRefreshFinished, Qt::QueuedConnection);
return true;
}
void DeviceFlow::onRefreshFinished() {
QNetworkReply *refreshReply = qobject_cast<QNetworkReply *>(sender());
auto networkError = refreshReply->error();
if (networkError == QNetworkReply::NoError) {
QByteArray reply = refreshReply->readAll();
QVariantMap tokens = parseJsonResponse(reply);
setToken(tokens.value(OAUTH2_ACCESS_TOKEN).toString());
setExpires(QDateTime::currentDateTimeUtc().addSecs(tokens.value(OAUTH2_EXPIRES_IN).toInt()));
QString refreshToken = tokens.value(OAUTH2_REFRESH_TOKEN).toString();
if(!refreshToken.isEmpty()) {
setRefreshToken(refreshToken);
}
else {
qDebug() << "No new refresh token. Keep the old one.";
}
timedReplies_.remove(refreshReply);
refreshReply->deleteLater();
updateActivity(Activity::Succeeded);
qDebug() << "New token expires in" << expires() << "seconds";
} else {
// FIXME: differentiate the error more here
onRefreshError(networkError, refreshReply);
}
}
void DeviceFlow::onRefreshError(QNetworkReply::NetworkError error, QNetworkReply *refreshReply) {
QString errorString = "No Reply";
if(refreshReply) {
timedReplies_.remove(refreshReply);
errorString = refreshReply->errorString();
}
switch (error)
{
// used for invalid credentials and similar errors. Fall through.
case QNetworkReply::AuthenticationRequiredError:
case QNetworkReply::ContentAccessDenied:
case QNetworkReply::ContentOperationNotPermittedError:
case QNetworkReply::ProtocolInvalidOperationError:
updateActivity(Activity::FailedHard);
break;
case QNetworkReply::ContentGoneError: {
updateActivity(Activity::FailedGone);
break;
}
case QNetworkReply::TimeoutError:
case QNetworkReply::OperationCanceledError:
case QNetworkReply::SslHandshakeFailedError:
default:
updateActivity(Activity::FailedSoft);
return;
}
if(refreshReply) {
refreshReply->deleteLater();
}
qDebug() << "DeviceFlow::onRefreshFinished: Error" << (int)error << " - " << errorString;
}
}