| package controller |
|
|
| import ( |
| "encoding/json" |
| "errors" |
| "fmt" |
| "net/http" |
| "net/url" |
| "strconv" |
| "strings" |
| "time" |
|
|
| "github.com/QuantumNous/new-api/common" |
| "github.com/QuantumNous/new-api/model" |
| "github.com/QuantumNous/new-api/setting/system_setting" |
|
|
| "github.com/gin-contrib/sessions" |
| "github.com/gin-gonic/gin" |
| ) |
|
|
| type OidcResponse struct { |
| AccessToken string `json:"access_token"` |
| IDToken string `json:"id_token"` |
| RefreshToken string `json:"refresh_token"` |
| TokenType string `json:"token_type"` |
| ExpiresIn int `json:"expires_in"` |
| Scope string `json:"scope"` |
| } |
|
|
| type OidcUser struct { |
| OpenID string `json:"sub"` |
| Email string `json:"email"` |
| Name string `json:"name"` |
| PreferredUsername string `json:"preferred_username"` |
| Picture string `json:"picture"` |
| } |
|
|
| func getOidcUserInfoByCode(code string) (*OidcUser, error) { |
| if code == "" { |
| return nil, errors.New("无效的参数") |
| } |
|
|
| values := url.Values{} |
| values.Set("client_id", system_setting.GetOIDCSettings().ClientId) |
| values.Set("client_secret", system_setting.GetOIDCSettings().ClientSecret) |
| values.Set("code", code) |
| values.Set("grant_type", "authorization_code") |
| values.Set("redirect_uri", fmt.Sprintf("%s/oauth/oidc", system_setting.ServerAddress)) |
| formData := values.Encode() |
| req, err := http.NewRequest("POST", system_setting.GetOIDCSettings().TokenEndpoint, strings.NewReader(formData)) |
| if err != nil { |
| return nil, err |
| } |
| req.Header.Set("Content-Type", "application/x-www-form-urlencoded") |
| req.Header.Set("Accept", "application/json") |
| client := http.Client{ |
| Timeout: 5 * time.Second, |
| } |
| res, err := client.Do(req) |
| if err != nil { |
| common.SysLog(err.Error()) |
| return nil, errors.New("无法连接至 OIDC 服务器,请稍后重试!") |
| } |
| defer res.Body.Close() |
| var oidcResponse OidcResponse |
| err = json.NewDecoder(res.Body).Decode(&oidcResponse) |
| if err != nil { |
| return nil, err |
| } |
|
|
| if oidcResponse.AccessToken == "" { |
| common.SysLog("OIDC 获取 Token 失败,请检查设置!") |
| return nil, errors.New("OIDC 获取 Token 失败,请检查设置!") |
| } |
|
|
| req, err = http.NewRequest("GET", system_setting.GetOIDCSettings().UserInfoEndpoint, nil) |
| if err != nil { |
| return nil, err |
| } |
| req.Header.Set("Authorization", "Bearer "+oidcResponse.AccessToken) |
| res2, err := client.Do(req) |
| if err != nil { |
| common.SysLog(err.Error()) |
| return nil, errors.New("无法连接至 OIDC 服务器,请稍后重试!") |
| } |
| defer res2.Body.Close() |
| if res2.StatusCode != http.StatusOK { |
| common.SysLog("OIDC 获取用户信息失败!请检查设置!") |
| return nil, errors.New("OIDC 获取用户信息失败!请检查设置!") |
| } |
|
|
| var oidcUser OidcUser |
| err = json.NewDecoder(res2.Body).Decode(&oidcUser) |
| if err != nil { |
| return nil, err |
| } |
| if oidcUser.OpenID == "" || oidcUser.Email == "" { |
| common.SysLog("OIDC 获取用户信息为空!请检查设置!") |
| return nil, errors.New("OIDC 获取用户信息为空!请检查设置!") |
| } |
| return &oidcUser, nil |
| } |
|
|
| func OidcAuth(c *gin.Context) { |
| session := sessions.Default(c) |
| state := c.Query("state") |
| if state == "" || session.Get("oauth_state") == nil || state != session.Get("oauth_state").(string) { |
| c.JSON(http.StatusForbidden, gin.H{ |
| "success": false, |
| "message": "state is empty or not same", |
| }) |
| return |
| } |
| username := session.Get("username") |
| if username != nil { |
| OidcBind(c) |
| return |
| } |
| if !system_setting.GetOIDCSettings().Enabled { |
| c.JSON(http.StatusOK, gin.H{ |
| "success": false, |
| "message": "管理员未开启通过 OIDC 登录以及注册", |
| }) |
| return |
| } |
| code := c.Query("code") |
| oidcUser, err := getOidcUserInfoByCode(code) |
| if err != nil { |
| common.ApiError(c, err) |
| return |
| } |
| user := model.User{ |
| OidcId: oidcUser.OpenID, |
| } |
| if model.IsOidcIdAlreadyTaken(user.OidcId) { |
| err := user.FillUserByOidcId() |
| if err != nil { |
| c.JSON(http.StatusOK, gin.H{ |
| "success": false, |
| "message": err.Error(), |
| }) |
| return |
| } |
| } else { |
| if common.RegisterEnabled { |
| user.Email = oidcUser.Email |
| if oidcUser.PreferredUsername != "" { |
| user.Username = oidcUser.PreferredUsername |
| } else { |
| user.Username = "oidc_" + strconv.Itoa(model.GetMaxUserId()+1) |
| } |
| if oidcUser.Name != "" { |
| user.DisplayName = oidcUser.Name |
| } else { |
| user.DisplayName = "OIDC User" |
| } |
| err := user.Insert(0) |
| if err != nil { |
| c.JSON(http.StatusOK, gin.H{ |
| "success": false, |
| "message": err.Error(), |
| }) |
| return |
| } |
| } else { |
| c.JSON(http.StatusOK, gin.H{ |
| "success": false, |
| "message": "管理员关闭了新用户注册", |
| }) |
| return |
| } |
| } |
|
|
| if user.Status != common.UserStatusEnabled { |
| c.JSON(http.StatusOK, gin.H{ |
| "message": "用户已被封禁", |
| "success": false, |
| }) |
| return |
| } |
| setupLogin(&user, c) |
| } |
|
|
| func OidcBind(c *gin.Context) { |
| if !system_setting.GetOIDCSettings().Enabled { |
| c.JSON(http.StatusOK, gin.H{ |
| "success": false, |
| "message": "管理员未开启通过 OIDC 登录以及注册", |
| }) |
| return |
| } |
| code := c.Query("code") |
| oidcUser, err := getOidcUserInfoByCode(code) |
| if err != nil { |
| common.ApiError(c, err) |
| return |
| } |
| user := model.User{ |
| OidcId: oidcUser.OpenID, |
| } |
| if model.IsOidcIdAlreadyTaken(user.OidcId) { |
| c.JSON(http.StatusOK, gin.H{ |
| "success": false, |
| "message": "该 OIDC 账户已被绑定", |
| }) |
| return |
| } |
| session := sessions.Default(c) |
| id := session.Get("id") |
| |
| user.Id = id.(int) |
| err = user.FillUserById() |
| if err != nil { |
| common.ApiError(c, err) |
| return |
| } |
| user.OidcId = oidcUser.OpenID |
| err = user.Update(false) |
| if err != nil { |
| common.ApiError(c, err) |
| return |
| } |
| c.JSON(http.StatusOK, gin.H{ |
| "success": true, |
| "message": "bind", |
| }) |
| return |
| } |
|
|
