quay/oauth/services/github.py

import logging

from oauth.base import OAuthEndpoint
from oauth.login import OAuthLoginService, OAuthLoginException
from util import slash_join

logger = logging.getLogger(__name__)

class GithubOAuthService(OAuthLoginService):
  def __init__(self, config, key_name):
    super(GithubOAuthService, self).__init__(config, key_name)

  def login_enabled(self, config):
    return config.get('FEATURE_GITHUB_LOGIN', False)

  def service_id(self):
    return 'github'

  def service_name(self):
    if self.is_enterprise():
      return 'GitHub Enterprise'

    return 'GitHub'

  def get_icon(self):
    return 'fa-github'

  def get_login_scopes(self):
    if self.config.get('ORG_RESTRICT'):
      return ['user:email', 'read:org']

    return ['user:email']

  def allowed_organizations(self):
    if not self.config.get('ORG_RESTRICT', False):
      return None

    allowed = self.config.get('ALLOWED_ORGANIZATIONS', None)
    if allowed is None:
      return None

    return [org.lower() for org in allowed]

  def get_public_url(self, suffix):
    return slash_join(self._endpoint(), suffix)

  def _endpoint(self):
    return self.config.get('GITHUB_ENDPOINT', 'https://github.com')

  def is_enterprise(self):
    return self._api_endpoint().find('.github.com') < 0

  def authorize_endpoint(self):
    return OAuthEndpoint(slash_join(self._endpoint(), '/login/oauth/authorize'))

  def token_endpoint(self):
    return OAuthEndpoint(slash_join(self._endpoint(), '/login/oauth/access_token'))

  def user_endpoint(self):
    return OAuthEndpoint(slash_join(self._api_endpoint(), 'user'))

  def _api_endpoint(self):
    return self.config.get('API_ENDPOINT', slash_join(self._endpoint(), '/api/v3/'))

  def api_endpoint(self):
    endpoint = self._api_endpoint()
    if endpoint.endswith('/'):
      return endpoint[0:-1]

    return endpoint

  def email_endpoint(self):
    return slash_join(self._api_endpoint(), 'user/emails')

  def orgs_endpoint(self):
    return slash_join(self._api_endpoint(), 'user/orgs')

  def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
    # First: Verify that the github endpoint is actually Github by checking for the
    # X-GitHub-Request-Id here.
    api_endpoint = self._api_endpoint()
    result = http_client.get(api_endpoint, auth=(self.client_id(), self.client_secret()), timeout=5)
    if not 'X-GitHub-Request-Id' in result.headers:
      raise Exception('Endpoint is not a Github (Enterprise) installation')

    # Next: Verify the client ID and secret.
    # Note: The following code is a hack until such time as Github officially adds an API endpoint
    # for verifying a {client_id, client_secret} pair. This workaround was given to us
    # *by a Github Engineer* (Jan 8, 2015).
    #
    # TODO: Replace with the real API call once added.
    #
    # Hitting the endpoint applications/{client_id}/tokens/foo will result in the following
    # behavior IF the client_id is given as the HTTP username and the client_secret as the HTTP
    # password:
    #   - If the {client_id, client_secret} pair is invalid in some way, we get a 401 error.
    #   - If the pair is valid, then we get a 404 because the 'foo' token does not exists.
    validate_endpoint = slash_join(api_endpoint, 'applications/%s/tokens/foo' % self.client_id())
    result = http_client.get(validate_endpoint, auth=(self.client_id(), self.client_secret()),
                             timeout=5)
    return result.status_code == 404

  def validate_organization(self, organization_id, http_client):
    org_endpoint = slash_join(self._api_endpoint(), 'orgs/%s' % organization_id.lower())

    result = http_client.get(org_endpoint,
                             headers={'Accept': 'application/vnd.github.moondragon+json'},
                             timeout=5)

    return result.status_code == 200


  def get_public_config(self):
    return  {
      'CLIENT_ID': self.client_id(),
      'AUTHORIZE_ENDPOINT': self.authorize_endpoint().to_url(),
      'GITHUB_ENDPOINT': self._endpoint(),
      'ORG_RESTRICT': self.config.get('ORG_RESTRICT', False)
    }

  def get_login_service_id(self, user_info):
    return user_info['id']

  def get_login_service_username(self, user_info):
    return user_info['login']

  def get_verified_user_email(self, app_config, http_client, token, user_info):
    v3_media_type = {
      'Accept': 'application/vnd.github.v3'
    }

    token_param = {
      'access_token': token,
    }

    # Find the e-mail address for the user: we will accept any email, but we prefer the primary
    get_email = http_client.get(self.email_endpoint(), params=token_param, headers=v3_media_type)
    if get_email.status_code // 100 != 2:
      raise OAuthLoginException('Got non-2XX status code for emails endpoint: %s' %
                                get_email.status_code)

    verified_emails = [email for email in get_email.json() if email['verified']]
    primary_emails = [email for email in get_email.json() if email['primary']]

    # Special case: We don't care about whether an e-mail address is "verified" under GHE.
    if self.is_enterprise() and not verified_emails:
      verified_emails = primary_emails

    allowed_emails = (primary_emails or verified_emails or [])
    return allowed_emails[0]['email'] if len(allowed_emails) > 0 else None

  def service_verify_user_info_for_login(self, app_config, http_client, token, user_info):
    # Retrieve the user's orgnizations (if organization filtering is turned on)
    if self.allowed_organizations() is None:
      return

    moondragon_media_type = {
      'Accept': 'application/vnd.github.moondragon+json'
    }

    token_param = {
      'access_token': token,
    }

    get_orgs = http_client.get(self.orgs_endpoint(), params=token_param,
                               headers=moondragon_media_type)

    if get_orgs.status_code // 100 != 2:
      logger.debug('get_orgs response: %s', get_orgs.json())
      raise OAuthLoginException('Got non-2XX response for org lookup: %s' %
                                get_orgs.status_code)

    organizations = set([org.get('login').lower() for org in get_orgs.json()])
    matching_organizations = organizations & set(self.allowed_organizations())
    if not matching_organizations:
      logger.debug('Found organizations %s, but expected one of %s', organizations,
                   self.allowed_organizations())
      err = """You are not a member of an allowed GitHub organization.
               Please contact your system administrator if you believe this is in error."""
      raise OAuthLoginException(err)
initial import for Open Source 🎉 2019-11-12 16:09:47 +00:00			`import logging`

			`from oauth.base import OAuthEndpoint`
			`from oauth.login import OAuthLoginService, OAuthLoginException`
			`from util import slash_join`

			`logger = logging.getLogger(__name__)`

			`class GithubOAuthService(OAuthLoginService):`
			`def __init__(self, config, key_name):`
			`super(GithubOAuthService, self).__init__(config, key_name)`

			`def login_enabled(self, config):`
			`return config.get('FEATURE_GITHUB_LOGIN', False)`

			`def service_id(self):`
			`return 'github'`

			`def service_name(self):`
			`if self.is_enterprise():`
			`return 'GitHub Enterprise'`

			`return 'GitHub'`

			`def get_icon(self):`
			`return 'fa-github'`

			`def get_login_scopes(self):`
			`if self.config.get('ORG_RESTRICT'):`
			`return ['user:email', 'read:org']`

			`return ['user:email']`

			`def allowed_organizations(self):`
			`if not self.config.get('ORG_RESTRICT', False):`
			`return None`

			`allowed = self.config.get('ALLOWED_ORGANIZATIONS', None)`
			`if allowed is None:`
			`return None`

			`return [org.lower() for org in allowed]`

			`def get_public_url(self, suffix):`
			`return slash_join(self._endpoint(), suffix)`

			`def _endpoint(self):`
			`return self.config.get('GITHUB_ENDPOINT', 'https://github.com')`

			`def is_enterprise(self):`
			`return self._api_endpoint().find('.github.com') < 0`

			`def authorize_endpoint(self):`
			`return OAuthEndpoint(slash_join(self._endpoint(), '/login/oauth/authorize'))`

			`def token_endpoint(self):`
			`return OAuthEndpoint(slash_join(self._endpoint(), '/login/oauth/access_token'))`

			`def user_endpoint(self):`
			`return OAuthEndpoint(slash_join(self._api_endpoint(), 'user'))`

			`def _api_endpoint(self):`
			`return self.config.get('API_ENDPOINT', slash_join(self._endpoint(), '/api/v3/'))`

			`def api_endpoint(self):`
			`endpoint = self._api_endpoint()`
			`if endpoint.endswith('/'):`
			`return endpoint[0:-1]`

			`return endpoint`

			`def email_endpoint(self):`
			`return slash_join(self._api_endpoint(), 'user/emails')`

			`def orgs_endpoint(self):`
			`return slash_join(self._api_endpoint(), 'user/orgs')`

			`def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):`
			`# First: Verify that the github endpoint is actually Github by checking for the`
			`# X-GitHub-Request-Id here.`
			`api_endpoint = self._api_endpoint()`
			`result = http_client.get(api_endpoint, auth=(self.client_id(), self.client_secret()), timeout=5)`
			`if not 'X-GitHub-Request-Id' in result.headers:`
			`raise Exception('Endpoint is not a Github (Enterprise) installation')`

			`# Next: Verify the client ID and secret.`
			`# Note: The following code is a hack until such time as Github officially adds an API endpoint`
			`# for verifying a {client_id, client_secret} pair. This workaround was given to us`
			`# by a Github Engineer (Jan 8, 2015).`
			`#`
			`# TODO: Replace with the real API call once added.`
			`#`
			`# Hitting the endpoint applications/{client_id}/tokens/foo will result in the following`
			`# behavior IF the client_id is given as the HTTP username and the client_secret as the HTTP`
			`# password:`
			`# - If the {client_id, client_secret} pair is invalid in some way, we get a 401 error.`
			`# - If the pair is valid, then we get a 404 because the 'foo' token does not exists.`
			`validate_endpoint = slash_join(api_endpoint, 'applications/%s/tokens/foo' % self.client_id())`
			`result = http_client.get(validate_endpoint, auth=(self.client_id(), self.client_secret()),`
			`timeout=5)`
			`return result.status_code == 404`

			`def validate_organization(self, organization_id, http_client):`
			`org_endpoint = slash_join(self._api_endpoint(), 'orgs/%s' % organization_id.lower())`

			`result = http_client.get(org_endpoint,`
			`headers={'Accept': 'application/vnd.github.moondragon+json'},`
			`timeout=5)`

			`return result.status_code == 200`


			`def get_public_config(self):`
			`return {`
			`'CLIENT_ID': self.client_id(),`
			`'AUTHORIZE_ENDPOINT': self.authorize_endpoint().to_url(),`
			`'GITHUB_ENDPOINT': self._endpoint(),`
			`'ORG_RESTRICT': self.config.get('ORG_RESTRICT', False)`
			`}`

			`def get_login_service_id(self, user_info):`
			`return user_info['id']`

			`def get_login_service_username(self, user_info):`
			`return user_info['login']`

			`def get_verified_user_email(self, app_config, http_client, token, user_info):`
			`v3_media_type = {`
			`'Accept': 'application/vnd.github.v3'`
			`}`

			`token_param = {`
			`'access_token': token,`
			`}`

			`# Find the e-mail address for the user: we will accept any email, but we prefer the primary`
			`get_email = http_client.get(self.email_endpoint(), params=token_param, headers=v3_media_type)`
			`if get_email.status_code // 100 != 2:`
			`raise OAuthLoginException('Got non-2XX status code for emails endpoint: %s' %`
			`get_email.status_code)`

			`verified_emails = [email for email in get_email.json() if email['verified']]`
			`primary_emails = [email for email in get_email.json() if email['primary']]`

			`# Special case: We don't care about whether an e-mail address is "verified" under GHE.`
			`if self.is_enterprise() and not verified_emails:`
			`verified_emails = primary_emails`

			`allowed_emails = (primary_emails or verified_emails or [])`
			`return allowed_emails[0]['email'] if len(allowed_emails) > 0 else None`

			`def service_verify_user_info_for_login(self, app_config, http_client, token, user_info):`
			`# Retrieve the user's orgnizations (if organization filtering is turned on)`
			`if self.allowed_organizations() is None:`
			`return`

			`moondragon_media_type = {`
			`'Accept': 'application/vnd.github.moondragon+json'`
			`}`

			`token_param = {`
			`'access_token': token,`
			`}`

			`get_orgs = http_client.get(self.orgs_endpoint(), params=token_param,`
			`headers=moondragon_media_type)`

			`if get_orgs.status_code // 100 != 2:`
			`logger.debug('get_orgs response: %s', get_orgs.json())`
			`raise OAuthLoginException('Got non-2XX response for org lookup: %s' %`
			`get_orgs.status_code)`

			`organizations = set([org.get('login').lower() for org in get_orgs.json()])`
			`matching_organizations = organizations & set(self.allowed_organizations())`
			`if not matching_organizations:`
			`logger.debug('Found organizations %s, but expected one of %s', organizations,`
			`self.allowed_organizations())`
			`err = """You are not a member of an allowed GitHub organization.`
			`Please contact your system administrator if you believe this is in error."""`
			`raise OAuthLoginException(err)`