mirror of
https://github.com/mattermost/mattermost.git
synced 2026-02-03 20:40:00 -05:00
300 lines
11 KiB
Go
300 lines
11 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package model
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"net/http"
|
|
"net/url"
|
|
"regexp"
|
|
)
|
|
|
|
var (
|
|
codeChallengeRegex = regexp.MustCompile("^[A-Za-z0-9_-]+$")
|
|
codeVerifierRegex = regexp.MustCompile(`^[A-Za-z0-9\-._~]+$`)
|
|
)
|
|
|
|
const (
|
|
AuthCodeExpireTime = 60 * 10 // 10 minutes
|
|
AuthCodeResponseType = "code"
|
|
ImplicitResponseType = "token"
|
|
DefaultScope = "user"
|
|
PKCECodeChallengeMethodS256 = "S256"
|
|
PKCECodeChallengeMinLength = 43
|
|
PKCECodeChallengeMaxLength = 128
|
|
PKCECodeVerifierMinLength = 43
|
|
PKCECodeVerifierMaxLength = 128
|
|
)
|
|
|
|
type AuthData struct {
|
|
ClientId string `json:"client_id"`
|
|
UserId string `json:"user_id"`
|
|
Code string `json:"code"`
|
|
ExpiresIn int32 `json:"expires_in"`
|
|
CreateAt int64 `json:"create_at"`
|
|
RedirectUri string `json:"redirect_uri"`
|
|
State string `json:"state"`
|
|
Scope string `json:"scope"`
|
|
CodeChallenge string `json:"code_challenge,omitempty"`
|
|
CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
|
|
Resource string `json:"resource,omitempty"`
|
|
}
|
|
|
|
type AuthorizeRequest struct {
|
|
ResponseType string `json:"response_type"`
|
|
ClientId string `json:"client_id"`
|
|
RedirectURI string `json:"redirect_uri"`
|
|
Scope string `json:"scope"`
|
|
State string `json:"state"`
|
|
CodeChallenge string `json:"code_challenge,omitempty"`
|
|
CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
|
|
Resource string `json:"resource,omitempty"`
|
|
}
|
|
|
|
// IsValid validates the AuthData and returns an error if it isn't configured
|
|
// correctly.
|
|
func (ad *AuthData) IsValid() *AppError {
|
|
if !IsValidId(ad.ClientId) {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.client_id.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
if !IsValidId(ad.UserId) {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.user_id.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
if ad.Code == "" || len(ad.Code) > 128 {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.auth_code.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
if ad.ExpiresIn == 0 {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.expires.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
if ad.CreateAt <= 0 {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.create_at.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
if len(ad.RedirectUri) > 256 || !IsValidHTTPURL(ad.RedirectUri) {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.redirect_uri.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
if len(ad.State) > 1024 {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.state.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
if len(ad.Scope) > 128 {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.scope.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
// PKCE validation - if one PKCE field is present, both must be present and valid
|
|
if ad.CodeChallenge != "" || ad.CodeChallengeMethod != "" {
|
|
if err := ad.validatePKCE(); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Resource validation per RFC 8707
|
|
if ad.Resource != "" {
|
|
if err := ValidateResourceParameter(ad.Resource, ad.ClientId, "AuthData.IsValid"); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// IsValid validates the AuthorizeRequest and returns an error if it isn't configured
|
|
// correctly.
|
|
func (ar *AuthorizeRequest) IsValid() *AppError {
|
|
if !IsValidId(ar.ClientId) {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.client_id.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
if ar.ResponseType == "" {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.response_type.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
if ar.RedirectURI == "" || len(ar.RedirectURI) > 256 || !IsValidHTTPURL(ar.RedirectURI) {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.redirect_uri.app_error", nil, "client_id="+ar.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
if len(ar.State) > 1024 {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.state.app_error", nil, "client_id="+ar.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
if len(ar.Scope) > 128 {
|
|
return NewAppError("AuthData.IsValid", "model.authorize.is_valid.scope.app_error", nil, "client_id="+ar.ClientId, http.StatusBadRequest)
|
|
}
|
|
|
|
// PKCE validation - if one PKCE field is present, both must be present and valid
|
|
if ar.CodeChallenge != "" || ar.CodeChallengeMethod != "" {
|
|
if err := ar.validatePKCE(); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Resource validation per RFC 8707
|
|
if ar.Resource != "" {
|
|
if err := ValidateResourceParameter(ar.Resource, ar.ClientId, "AuthorizeRequest.IsValid"); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (ad *AuthData) PreSave() {
|
|
if ad.ExpiresIn == 0 {
|
|
ad.ExpiresIn = AuthCodeExpireTime
|
|
}
|
|
|
|
if ad.CreateAt == 0 {
|
|
ad.CreateAt = GetMillis()
|
|
}
|
|
|
|
if ad.Scope == "" {
|
|
ad.Scope = DefaultScope
|
|
}
|
|
}
|
|
|
|
func (ad *AuthData) IsExpired() bool {
|
|
return GetMillis() > ad.CreateAt+int64(ad.ExpiresIn*1000)
|
|
}
|
|
|
|
// validatePKCEParameters validates PKCE parameters (shared validation logic)
|
|
func validatePKCEParameters(codeChallenge, codeChallengeMethod, clientId, caller string) *AppError {
|
|
if codeChallenge == "" {
|
|
return NewAppError(caller, "model.authorize.is_valid.code_challenge.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
if codeChallengeMethod == "" {
|
|
return NewAppError(caller, "model.authorize.is_valid.code_challenge_method.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
// Only support S256 method for security
|
|
if codeChallengeMethod != PKCECodeChallengeMethodS256 {
|
|
return NewAppError(caller, "model.authorize.is_valid.code_challenge_method.unsupported.app_error", nil, "client_id="+clientId+", method="+codeChallengeMethod, http.StatusBadRequest)
|
|
}
|
|
|
|
// Validate code challenge format (base64url encoded)
|
|
if len(codeChallenge) < PKCECodeChallengeMinLength || len(codeChallenge) > PKCECodeChallengeMaxLength {
|
|
return NewAppError(caller, "model.authorize.is_valid.code_challenge.length.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
// Validate base64url format (no padding, URL-safe characters)
|
|
if !codeChallengeRegex.MatchString(codeChallenge) {
|
|
return NewAppError(caller, "model.authorize.is_valid.code_challenge.format.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// validatePKCE validates PKCE parameters for AuthData
|
|
func (ad *AuthData) validatePKCE() *AppError {
|
|
return validatePKCEParameters(ad.CodeChallenge, ad.CodeChallengeMethod, ad.ClientId, "AuthData.validatePKCE")
|
|
}
|
|
|
|
// validatePKCE validates PKCE parameters for AuthorizeRequest
|
|
func (ar *AuthorizeRequest) validatePKCE() *AppError {
|
|
return validatePKCEParameters(ar.CodeChallenge, ar.CodeChallengeMethod, ar.ClientId, "AuthorizeRequest.validatePKCE")
|
|
}
|
|
|
|
// VerifyPKCE verifies a PKCE code_verifier against the stored code_challenge
|
|
func (ad *AuthData) VerifyPKCE(codeVerifier string) bool {
|
|
// Both empty = no PKCE was used (backward compatibility)
|
|
if ad.CodeChallenge == "" && ad.CodeChallengeMethod == "" {
|
|
return true
|
|
}
|
|
|
|
// Only one empty = invalid data state
|
|
if ad.CodeChallenge == "" || ad.CodeChallengeMethod == "" {
|
|
return false
|
|
}
|
|
|
|
// Validate code verifier length
|
|
if len(codeVerifier) < PKCECodeVerifierMinLength || len(codeVerifier) > PKCECodeVerifierMaxLength {
|
|
return false
|
|
}
|
|
|
|
// Validate code verifier format (unreserved characters from RFC 3986)
|
|
if !codeVerifierRegex.MatchString(codeVerifier) {
|
|
return false
|
|
}
|
|
|
|
// Only S256 method is supported
|
|
if ad.CodeChallengeMethod != PKCECodeChallengeMethodS256 {
|
|
return false
|
|
}
|
|
|
|
// Calculate S256 challenge: BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
|
|
hash := sha256.Sum256([]byte(codeVerifier))
|
|
calculatedChallenge := base64.RawURLEncoding.EncodeToString(hash[:])
|
|
|
|
return calculatedChallenge == ad.CodeChallenge
|
|
}
|
|
|
|
// ValidatePKCEForClientType validates PKCE parameters based on OAuth client type and security requirements
|
|
func (ad *AuthData) ValidatePKCEForClientType(isPublicClient bool, codeVerifier string) *AppError {
|
|
if isPublicClient {
|
|
// RFC 7636: Public clients MUST use PKCE
|
|
if ad.CodeChallenge == "" {
|
|
return NewAppError("AuthData.ValidatePKCEForClientType", "model.authorize.validate_pkce.public_client_required.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
if codeVerifier == "" {
|
|
return NewAppError("AuthData.ValidatePKCEForClientType", "model.authorize.validate_pkce.verifier_required.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
// Verify the code verifier matches the stored code challenge
|
|
if !ad.VerifyPKCE(codeVerifier) {
|
|
return NewAppError("AuthData.ValidatePKCEForClientType", "model.authorize.validate_pkce.verification_failed.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
} else {
|
|
// Confidential clients: PKCE is optional but enforced if initiated
|
|
if ad.CodeChallenge != "" {
|
|
// Client started flow with PKCE - code_verifier is required
|
|
if codeVerifier == "" {
|
|
return NewAppError("AuthData.ValidatePKCEForClientType", "model.authorize.validate_pkce.verifier_required.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
// Verify the code verifier matches the stored code challenge
|
|
if !ad.VerifyPKCE(codeVerifier) {
|
|
return NewAppError("AuthData.ValidatePKCEForClientType", "model.authorize.validate_pkce.verification_failed.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
} else if codeVerifier != "" {
|
|
// Client provided code_verifier but didn't use PKCE in authorization - reject
|
|
return NewAppError("AuthData.ValidatePKCEForClientType", "model.authorize.validate_pkce.not_used_in_auth.app_error", nil, "client_id="+ad.ClientId, http.StatusBadRequest)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ValidateResourceParameter validates a resource parameter per RFC 8707
|
|
func ValidateResourceParameter(resource, clientId, caller string) *AppError {
|
|
// Empty resource parameter is allowed (no resource specified)
|
|
if resource == "" {
|
|
return nil
|
|
}
|
|
|
|
// Resource must not exceed 512 characters to fit in database column
|
|
if len(resource) > 512 {
|
|
return NewAppError(caller, "model.authorize.is_valid.resource.length.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
parsedURL, err := url.Parse(resource)
|
|
if err != nil {
|
|
return NewAppError(caller, "model.authorize.is_valid.resource.invalid_uri.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
// Must be absolute URI (has scheme)
|
|
if !parsedURL.IsAbs() {
|
|
return NewAppError(caller, "model.authorize.is_valid.resource.not_absolute.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
// Must not include a fragment component per RFC 8707
|
|
if parsedURL.Fragment != "" {
|
|
return NewAppError(caller, "model.authorize.is_valid.resource.has_fragment.app_error", nil, "client_id="+clientId, http.StatusBadRequest)
|
|
}
|
|
|
|
return nil
|
|
}
|