Merge pull request #4670 from communitybridge/unicron-add-return-url-to-get-user-from-session

Support redirect_url when no github session yet in /v2/user-from-session and state, code from github callback

Author: lukaszgryglicki

cla-backend/cla/controllers/repository_service.py

@@ -6,7 +6,7 @@
 """
 
 import cla
-
+from falcon import HTTP_202, HTTP_404
 
 def received_activity(provider, data):
     """
@@ -34,18 +34,19 @@ def sign_request(provider, installation_id, github_repository_id, change_request
     service = cla.utils.get_repository_service(provider)
     return service.sign_request(installation_id, github_repository_id, change_request_id, request)
 
-def user_from_session(redirect, request, response=None):
+def user_from_session(redirect, redirect_url, state, code, request, response=None):
     """
     Return user from OAuth2 session
     """
     # LG: to test using MockGitHub class
     # import os
     # from cla.models.github_models import MockGitHub
-    # user = MockGitHub(os.environ["GITHUB_OAUTH_TOKEN"]).user_from_session(request)
-    user = cla.utils.get_repository_service('github').user_from_session(request, redirect)
+    # user = MockGitHub(os.environ["GITHUB_OAUTH_TOKEN"]).user_from_session(request, redirect, redirect_url, state, code)
+    user = cla.utils.get_repository_service('github').user_from_session(request, redirect, redirect_url, state, code)
     if user is None:
         response.status = HTTP_404
         return {"errors": "Cannot find user from session"}
     if isinstance(user, dict):
+        response.status = HTTP_202
         return user
     return user.to_dict()

cla-backend/cla/models/github_models.py

@@ -96,21 +96,49 @@ def received_activity(self, data):
         else:
             cla.log.debug("github_models.received_activity - Ignoring unsupported action: {}".format(data["action"]))
 
-    def user_from_session(self, request, redirect):
-        fn = "github_models.user_from_session"  # function name
+    def user_from_session(self, request, redirect, redirect_url, state, code):
+        fn = "github_models.user_from_session"
         cla.log.debug(f"{fn} - Loading session from request: {request}...")
         session = self._get_request_session(request)
+        cla.log.debug(f"{fn} - redirect: {redirect}, redirect_url: {redirect_url}, state: {state}, code: {code}, session: {session}")
+
+        # we can already have token in the session
         if "github_oauth2_token" in session:
             cla.log.debug(f"{fn} - Using existing session GitHub OAuth2 token")
             user = self.get_or_create_user(request)
             cla.log.debug(f"{fn} - loaded user {user.to_dict()}")
             return user
+
+        # if not then we can either request a new OAuth2 GitHub authentication or user code & state from GitHub to create a session
+        if code and state:
+            session_state = None
+            if "github_oauth2_state" in session:
+                session_state = session["github_oauth2_state"]
+                cla.log.warning(f"{fn} - github_oauth2_state in current session: {session_state}")
+            else:
+                cla.log.warning(f"{fn} - github_oauth2_state not set in current session")
+            if session_state and state != session_state:
+                cla.log.warning(f"{fn} - invalid GitHub OAuth2 state {session_state} expecting {state}")
+                raise falcon.HTTPBadRequest(f"Invalid OAuth2 state: '{session_state}' != '{state}'")
+            token_url = cla.conf["GITHUB_OAUTH_TOKEN_URL"]
+            client_id = os.environ["GH_OAUTH_CLIENT_ID"]
+            client_secret = os.environ["GH_OAUTH_SECRET"]
+            try:
+                token = self._fetch_token(client_id, state, token_url, client_secret, code)
+            except Exception as err:
+                cla.log.warning(f"{fn} - GitHub OAuth2 error: {err}. Likely bad or expired code.")
+                raise falcon.HTTPBadRequest("OAuth2 code is invalid or expired")
+            cla.log.debug(f"{fn} - oauth2 token received for state {state}: {token} - storing token in session")
+            session["github_oauth2_token"] = token
+            user = self.get_or_create_user(request)
+            cla.log.debug(f"{fn} - loaded user {user.to_dict()}")
+            return user
         else:
             cla.log.debug(f"{fn} - No existing GitHub OAuth2 token - building authorization url and state")
-            authorization_url, state = self.get_authorization_url_and_state(None, None, None, ["user:email"])
+            authorization_url, new_state = self.get_github_oauth2_redirect_url_and_state(redirect_url)
             cla.log.debug(f"{fn} - Obtained GitHub OAuth2 state from authorization - storing state in the session...")
-            session["github_oauth2_state"] = state
-            cla.log.debug(f"{fn} - GitHub OAuth2 request with state {state} - sending user to {authorization_url}")
+            session["github_oauth2_state"] = new_state
+            cla.log.debug(f"{fn} - GitHub OAuth2 request with state {new_state} - sending user to {authorization_url}")
             if redirect:
                 raise falcon.HTTPFound(authorization_url)
             else:
@@ -176,6 +204,25 @@ def _get_request_session(self, request) -> dict:  # pylint: disable=no-self-use
 
         return session
 
+    def get_github_oauth2_redirect_url_and_state(self, redirect_uri):
+        fn = "github_models.get_github_oauth2_redirect_url_and_state"
+        github_oauth_url = cla.conf["GITHUB_OAUTH_AUTHORIZE_URL"]
+        github_oauth_client_id = os.environ["GH_OAUTH_CLIENT_ID"]
+        if not redirect_uri:
+            redirect_uri = os.environ.get("CLA_API_BASE", "").strip() + "/v2/user-from-session"
+
+        scope = ["user:email"]
+        cla.log.debug(
+            f"{fn} - Directing user to the github authorization url: {github_oauth_url} via "
+            f"our github installation flow: {redirect_uri} "
+            f"using the github oauth client id: {github_oauth_client_id[0:5]} "
+            f"with scope: {scope}"
+        )
+
+        return self._get_authorization_url_and_state(
+            client_id=github_oauth_client_id, redirect_uri=redirect_uri, scope=scope, authorize_url=github_oauth_url
+        )
+
     def get_authorization_url_and_state(self, installation_id, github_repository_id, pull_request_number, scope):
         """
         Helper method to get the GitHub OAuth2 authorization URL and state.
@@ -1848,7 +1895,7 @@ def _fetch_token(self, client_id, state, token_url, client_secret, code):  # pyl
     def _get_request_session(self, request) -> dict:
         if self.oauth2_token:
             return {
-                "github_oauth2_token": "random-token",
+                "github_oauth2_token": "random-token", # LG: comment this out to see how Mock class woudl attempt to fetch GitHub token using state & code
                 "github_oauth2_state": "random-state",
                 "github_origin_url": "http://github/origin/url",
                 "github_installation_id": 1,

cla-backend/cla/routes.py

@@ -1808,7 +1808,8 @@ def get_event(event_id: hug.types.text, response):
 def user_from_session(request, response):
     """
     GET: /user-from-session
-    Example: https://api.dev.lfcla.com/v2/user-from-session
+    Example: https://api.dev.lfcla.com/v2/user-from-session?redirect=0&redirect_url=localhost%3A4200
+    Example: https://api.dev.lfcla.com/v2/user-from-session?state=xyz&code=xyz
     Returns user object from OAuth2 session
     Example user returned:
     {
@@ -1832,10 +1833,20 @@ def user_from_session(request, response):
       "user_name": "Test User",
       "version": "v1"
     }
+    Can also return 302 redirect (if redirect mode is set redirect=1|yes|true)
+    Can also return 202 redirect_url for GitHub OAuth2 if redirect mode is not set (redirect=0|no|false) with payload:
+    {
+        "redirect_url": "https://github.com/login/oauth/authorize?response_type=code&client_id=38f6d46ff92b7ed04071&redirect_uri=abc&scope=user%3Aemail&state=VCshZQtMs0hPMw6XuMBBZODVaWAxXX"
+    }
+    Can also return 404 on OAuth2 errors or missing redirect_url when no session present
+    return_url should ideally be "CLA contributor console" URL + /v2/user-from-session, Github will add "?state=xyz&code=xyz"
     """
     raw_redirect = request.params.get('redirect', 'false').lower()
     redirect = raw_redirect in ('1', 'true', 'yes')
-    return cla.controllers.repository_service.user_from_session(redirect, request, response)
+    redirect_url = request.params.get('redirect_url', '')
+    state = request.params.get('state', '')
+    code = request.params.get('code', '')
+    return cla.controllers.repository_service.user_from_session(redirect, redirect_url, state, code, request, response)
 
 
 @hug.post("/events", versions=1)

utils/get_user_from_session_py.sh

@@ -2,6 +2,11 @@
 # API_URL=https://[xyz].ngrok-free.app (defaults to localhost:5000)
 # API_URL=https://api.lfcla.dev.platform.linuxfoundation.org
 # REDIRECT=0|1 DEBUG='' ./utils/get_user_from_session_py.sh
+# API_URL=https://api.lfcla.dev.platform.linuxfoundation.org DEBUG=1 REDIRECT=0 ./utils/get_user_from_session_py.sh 'https://contributor.easycla.lfx.linuxfoundation.org'
+# CODE=xyz STAE=xyz
+
+export redirect_url="${1}"
+export encoded_redirect_url=$(jq -rn --arg x "$redirect_url" '$x|@uri')
 
 if [ -z "$API_URL" ]
 then
@@ -13,12 +18,17 @@ then
   export REDIRECT="0"
 fi
 
-API="${API_URL}/v2/user-from-session?redirect=${REDIRECT}"
+if ( [ -z "${CODE}" ] && [ -z "${STATE}" ] )
+then
+  export API="${API_URL}/v2/user-from-session?redirect=${REDIRECT}&redirect_url=${encoded_redirect_url}"
+else
+  export API="${API_URL}/v2/user-from-session?code=${CODE}&state=${STATE}"
+fi
 
 if [ ! -z "$DEBUG" ]
 then
   echo "curl -s -XGET -H \"Content-Type: application/json\" \"${API}\""
-  curl -s -XGET -H "Content-Type: application/json" "${API}"
+  curl -i -s -XGET -H "Content-Type: application/json" "${API}"
 else
   curl -s -XGET -H "Content-Type: application/json" "${API}" | jq -r '.'
 fi