From patchwork Thu Jun  4 20:00:20 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Mangano-Tarumi?=
 <fmang@mg0.fr>
X-Patchwork-Id: 1676
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 0830D192B9F66
	for <patchwork@archlinux.org>; Thu,  4 Jun 2020 20:00:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,LOCAL_FAKEBUSINESS=0.5,
	MAILING_LIST_MULTI=-1,NUMERIC_HTTP_ADDR=0.001,RCVD_IN_DNSWL_MED=-2.3,
	RCVD_IN_MSPIKE_H4=0.001,RCVD_IN_MSPIKE_WL=0.001,SPF_HELO_NONE=0.001,
	T_DMARC_POLICY_NONE=0.01,WEIRD_PORT=0.001 autolearn=ham
	autolearn_force=no version=3.4.4
X-Spam-BL-Results: <dns:70.91.198.88.wl.mailspike.net> [127.0.0.19]
	<dns:70.91.198.88.list.dnswl.org> [127.0.9.2]
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Thu,  4 Jun 2020 20:00:38 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id BA8C21C8DD2DD7;
	Thu,  4 Jun 2020 20:00:26 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 5F5711C8DD2DD1;
	Thu,  4 Jun 2020 20:00:26 +0000 (UTC)
Authentication-Results: orion.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=Helds6hZ
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 5254F2BE6D;
	Thu,  4 Jun 2020 20:00:26 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=Helds6hZ
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 0F34E2B9E8
 for <aur-dev@lists.archlinux.org>; Thu,  4 Jun 2020 20:00:23 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Thu,  4 Jun 2020 20:00:23 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 271D31C8DD2DCF
 for <aur-dev@archlinux.org>; Thu,  4 Jun 2020 20:00:21 +0000 (UTC)
Received: from tsubame.mg0.fr (tsubame.mg0.fr [IPv6:2001:41d0:401:3100::402b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@archlinux.org>; Thu,  4 Jun 2020 20:00:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mg0.fr;
 s=tsubame; h=Message-ID:Subject:To:From:Date:cc;
 bh=qZTEHTTofW8xiTiChzUz1zbctajDSltsfrw1AsgyGOY=; b=Helds6hZZaPSOmHMK5docwrkdw
 mizP6rfhK31yVDBpg1Y+FN3gf7VWz3GibkzTfJd3Qh27lybhPKRmNgBb5KcUId7AcuLANCAHnJRX6
 HkVUvty/umJJTZq+wbwm8D4/xAnM4yJOSDYnChEOwFOcy7iurG2Jg9OpT9bw0WC4l5K4=;
Received: from fmang by tsubame.mg0.fr with local (Exim 4.93)
 (envelope-from <fmang@mg0.fr>) id 1jgw2G-003kYh-0Z
 for aur-dev@archlinux.org; Thu, 04 Jun 2020 22:00:20 +0200
Date: Thu, 4 Jun 2020 22:00:20 +0200
From: =?utf-8?b?RnLDqWTDqXJpYw==?= Mangano-Tarumi <fmang@mg0.fr>
To: aur-dev@archlinux.org
Subject: [PATCH 3/4] Crude OpenID Connect client using Authlib
Message-ID: <20200604200020.GA893616@tsubame.mg0.fr>
MIME-Version: 1.0
Content-Disposition: inline
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

Developers can go to /sso/login to get redirected to the SSO. On
successful login, the ID token is displayed.
---
 .gitlab-ci.yml             |  3 ++-
 TESTING                    |  3 ++-
 aurweb/asgi.py             | 13 +++++++++++++
 aurweb/routers/__init__.py |  5 +++++
 aurweb/routers/sso.py      | 30 ++++++++++++++++++++++++++++++
 aurweb/spawn.py            |  3 +++
 conf/config.defaults       |  8 ++++++++
 conf/config.dev            |  9 +++++++++
 8 files changed, 72 insertions(+), 2 deletions(-)
 create mode 100644 aurweb/routers/__init__.py
 create mode 100644 aurweb/routers/sso.py

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f6260ebb..9dc951aa 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -11,7 +11,8 @@ before_script:
            base-devel git gpgme protobuf pyalpm python-mysql-connector
            python-pygit2 python-srcinfo python-bleach python-markdown
            python-sqlalchemy python-alembic python-pytest python-werkzeug
-           python-pytest-tap python-fastapi uvicorn nginx
+           python-pytest-tap python-fastapi uvicorn nginx python-authlib
+           python-itsdangerous python-httpx
 
 test:
   script:
diff --git a/TESTING b/TESTING
index 7261df92..d7df3672 100644
--- a/TESTING
+++ b/TESTING
@@ -13,7 +13,8 @@ INSTALL.
 
     # pacman -S --needed php php-sqlite sqlite words fortune-mod \
                          python python-sqlalchemy python-alembic \
-                         python-fastapi uvicorn nginx
+                         python-fastapi uvicorn nginx \
+                         python-authlib python-itsdangerous python-httpx
 
    Ensure to enable the pdo_sqlite extension in php.ini.
 
diff --git a/aurweb/asgi.py b/aurweb/asgi.py
index 9bb71ecc..60c7ade7 100644
--- a/aurweb/asgi.py
+++ b/aurweb/asgi.py
@@ -1,3 +1,16 @@
 from fastapi import FastAPI
+from starlette.middleware.sessions import SessionMiddleware
+
+import aurweb.config
+
+from aurweb.routers import sso
 
 app = FastAPI()
+
+session_secret = aurweb.config.get("fastapi", "session_secret")
+if not session_secret:
+    raise Exception("[fastapi] session_secret must not be empty")
+
+app.add_middleware(SessionMiddleware, secret_key=session_secret)
+
+app.include_router(sso.router)
diff --git a/aurweb/routers/__init__.py b/aurweb/routers/__init__.py
new file mode 100644
index 00000000..35d43c03
--- /dev/null
+++ b/aurweb/routers/__init__.py
@@ -0,0 +1,5 @@
+"""
+API routers for FastAPI.
+
+See https://fastapi.tiangolo.com/tutorial/bigger-applications/
+"""
diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
new file mode 100644
index 00000000..b16edffb
--- /dev/null
+++ b/aurweb/routers/sso.py
@@ -0,0 +1,30 @@
+import fastapi
+
+from authlib.integrations.starlette_client import OAuth
+from starlette.requests import Request
+
+import aurweb.config
+
+router = fastapi.APIRouter()
+
+oauth = OAuth()
+oauth.register(
+    name="sso",
+    server_metadata_url=aurweb.config.get("sso", "openid_configuration"),
+    client_kwargs={"scope": "openid"},
+    client_id=aurweb.config.get("sso", "client_id"),
+    client_secret=aurweb.config.get("sso", "client_secret"),
+)
+
+
+@router.get("/sso/login")
+async def login(request: Request):
+    redirect_uri = aurweb.config.get("options", "aur_location") + "/sso/authenticate"
+    return await oauth.sso.authorize_redirect(request, redirect_uri, prompt="login")
+
+
+@router.get("/sso/authenticate")
+async def authenticate(request: Request):
+    token = await oauth.sso.authorize_access_token(request)
+    user = await oauth.sso.parse_id_token(request, token)
+    return dict(user)
diff --git a/aurweb/spawn.py b/aurweb/spawn.py
index e86f29fe..5da8587e 100644
--- a/aurweb/spawn.py
+++ b/aurweb/spawn.py
@@ -60,6 +60,9 @@ def generate_nginx_config():
                 location / {{
                     proxy_pass http://{aurweb.config.get("php", "bind_address")};
                 }}
+                location /sso {{
+                    proxy_pass http://{aurweb.config.get("fastapi", "bind_address")};
+                }}
             }}
         }}
     """)
diff --git a/conf/config.defaults b/conf/config.defaults
index 447dacac..49259754 100644
--- a/conf/config.defaults
+++ b/conf/config.defaults
@@ -68,6 +68,14 @@ username-regex = [a-zA-Z0-9]+[.\-_]?[a-zA-Z0-9]+$
 git-serve-cmd = /usr/local/bin/aurweb-git-serve
 ssh-options = restrict
 
+[sso]
+openid_configuration =
+client_id =
+client_secret =
+
+[fastapi]
+session_secret =
+
 [serve]
 repo-path = /srv/http/aurweb/aur.git/
 repo-regex = [a-z0-9][a-z0-9.+_-]*$
diff --git a/conf/config.dev b/conf/config.dev
index d752f61f..27e981f8 100644
--- a/conf/config.dev
+++ b/conf/config.dev
@@ -20,6 +20,12 @@ aur_location = http://127.0.0.1:8080
 disable_http_login = 0
 enable-maintenance = 0
 
+; Single sign-on
+[sso]
+openid_configuration = http://127.0.0.1:8083/auth/realms/aurweb/.well-known/openid-configuration
+client_id = aurweb
+client_secret =
+
 [php]
 ; Address PHP should bind when spawned in development mode by aurweb.spawn.
 bind_address = 127.0.0.1:8081
@@ -30,3 +36,6 @@ htmldir = YOUR_AUR_ROOT/web/html
 [fastapi]
 ; Address uvicorn should bind when spawned in development mode by aurweb.spawn.
 bind_address = 127.0.0.1:8082
+
+; Passphrase FastAPI uses to sign client-side sessions.
+session_secret = 極秘、訳すな！あ、遅過ぎた。