Merge branch 'eyre-sec-fixes' into sec-com-twitter

2-layer domain change required to write a proper driver
This commit is contained in:
Anton Dyudin 2016-03-09 14:50:10 -08:00
commit 738bd1946c
11 changed files with 162 additions and 61 deletions

View File

@ -745,9 +745,9 @@
=+ usr=(slav %ta p.tee)
=+ ((hard {pul/purl ^}) q.q.cay)
?. ?=($& -.r.p.pul)
~& [%auth-lost usr p.r.p.pul]
~& [%auth-lost usr (head:earn p.pul)]
(eyre-them tee q.cay)
(get-req:(dom-vi usr p.r.p.pul) q.tee q.cay)
(get-req:(dom-vi usr (scag 2 p.r.p.pul)) q.tee q.cay)
::
:: {$hi ^}
:: ?: ?=($| -.q.sih)

View File

@ -1,5 +1,5 @@
::
:::: /hoon/ticket/gen
:::: /hoon/list/gmail/gen
::
/? 310
::

View File

@ -0,0 +1,28 @@
::
:::: /hoon/google/init-oauth2/hood/gen
::
/? 314
/- sole
::
::::
!:
[sole .]
:- %ask
|= $: {now/@da eny/@uvI bec/beak}
{arg/$@($~ {jon/json $~})}
$~
==
^- (sole-result {$write-sec-atom p/host q/@})
%+ sole-yo leaf+"Accepting credentials for https://*.googleapis.com"
=+ hot=[%& /com/googleapis]
=- ?~ arg -
(fun.q.q jon.arg)
%+ sole-lo
[%& %oauth-json "json credentials: "]
%+ sole-go apex:poja
|= jon/json
=+ ~| bad-json+jon
=- `{cid/@t cis/@t}`(need (rep jon))
rep=(ot web+(ot 'client_id'^so 'client_secret'^so ~) ~):jo
%+ sole-so %write-sec-atom :: XX typed pair
[hot (role cid cis ~)]

View File

@ -1,3 +1,6 @@
::
:::: /hoon/oauth2/lib
::
|%
++ fass :: rewrite quay
|= a/quay
@ -18,14 +21,42 @@
?~ b ''
(rap 3 |-([i.b ?~(t.b ~ [a $(b t.b)])]))
::
++ mean-wall !.
|= {a/term b/tape} ^+ !!
=- (mean (flop `tang`[>a< -]))
(turn (lore (crip b)) |=(c/cord leaf+(trip c)))
::
++ dbg-post `purl`[`hart`[| `6.000 [%& /localhost]] `pork``/testing `quay`/]
++ endpoint |=({dom/(list cord) a/path} [[& ~ &+dom] [~ a] ~])
++ bad-response |=(a/@u ?:(=(2 (div a 100)) | ~&(bad-httr+a &)))
++ grab-json
|* {a/httr b/fist:jo}
~| bad-json+r.a
~| (poja q:(need r.a))
(need (;~(biff poja b) q:(need r.a)))
::
++ parse-url
|= a/$@(cord:purl purl) ^- purl
?^ a a
~| bad-url+a
(rash a auri:epur)
::
++ interpolate-url
|= {a/$@(cord purl) b/(unit hart) c/(list (pair term knot))}
^- purl
?@ a $(a (parse-url a)) :: deal with cord
%_ a
p ?^(b u.b p.a)
q.q (interpolate-path q.q.a c)
==
::
++ interpolate-path :: [/a/:b/c [%b 'foo']~] -> /a/foo/c
|= {a/path b/(list (pair term knot))} ^- path
?~ a ?~(b ~ ~|(unused-values+b !!))
=+ (rush i.a ;~(pfix col sym))
?~ - [i.a $(a t.a)] :: not interpolable
?~ b ~|(no-value+u !!)
?. =(u p.i.b) ~|(mismatch+[u p.i.b] !!)
[q.i.b $(a t.a, b t.b)]
--
::
::::
@ -35,40 +66,52 @@
++ refresh {tok/token needed/@da pending/_`?`|}
++ keys cord:{cid/@t cis/@t}
++ core-move |*(a/* $^({sec-move _a} sec-move)) ::here's a change
++ decode-keys :: XX from bale w/ typed %jael
|= key/keys
?~ key ~|(%oauth-no-keys ~_(leaf+"Run |init-oauth2" !!))
~| %oauth-bad-keys
((hard {cid/@t cis/@t $~}) (lore key))
--
::
::::
::
|= {dialog/{p/host q/path r/quay} code-exchange/path}
=+ state-usr=|
|= {dialog/$@(cord:purl purl) code-exchange/$@(cord:purl purl)}
=+ :+ state-usr=|
dialog-url=(parse-url dialog)
exchange-url=(parse-url code-exchange)
|_ {(bale keys) scope/(list cord)}
++ client-id cid:(decode-keys key)
++ client-secret cis:(decode-keys key)
++ client-id cid:decode-keys
++ client-secret cis:decode-keys
++ decode-keys :: XX from bale w/ typed %jael
^- {cid/@t cis/@t $~}
?. =(~ `@`key)
~| %oauth-bad-keys
((hard {cid/@t cis/@t $~}) (lore key))
%+ mean-wall %oauth-no-keys
"""
Run |init-oauth2
If necessary, obtain client keys configured for a redirect_uri of
{(trip redirect-uri)}
"""
::
++ urb-hart [| `8.443 [%& /localhost]] :: XX get from eyre
++ toke-url (endpoint dom code-exchange)
++ our-host .^(hart %e /(scot %p our)/host/fake)
++ auth-url
~& [%oauth-warning "Make sure this urbit".
"is running on {(earn urb-hart `~ ~)}"]
~& [%oauth-warning "Make sure this urbit ".
"is running on {(earn our-host `~ ~)}"]
^- purl
:+ [& ~ p.dialog] [~ q.dialog]
%- fass
%+ welp r.dialog
:~ state+?.(state-usr '' (pack usr /''))
client-id+client-id
redirect-uri+redirect-uri
scope+(join ' ' scope)
%_ dialog-url
r
%+ welp r.dialog-url
%- fass
:~ state+?.(state-usr '' (pack usr /''))
client-id+client-id
redirect-uri+redirect-uri
scope+(join ' ' scope)
==
==
::
++ redirect-uri
%- crip %- earn
=+ usr-knot=?:(state-usr '_state' (scot %ta usr))
`purl`[`hart`urb-hart `pork``/~/ac/(join '.' (flop dom))/[usr-knot]/in `quay`~]
%^ interpolate-url 'https://our-host/~/ac/:domain/:user/in'
`our-host
:~ domain+(join '.' (flop dom))
user+?:(state-usr '_state' (scot %ta usr))
==
::
++ out-filtered
|= {tok/token aut/$-(hiss hiss)}
@ -90,7 +133,7 @@
::
++ toke-req
|= {grant-type/cord quy/quay} ^- {$send hiss}
:+ %send toke-url
:+ %send exchange-url
:+ %post (malt ~[content-type+~['application/x-www-form-urlencoded']])
=- `(tact +:(tail:earn -))
%- fass
@ -119,7 +162,9 @@
|* {done/* parse/(pole {knot fist}:jo)}
|= handle/$-(_?~(parse ~ (need *(ot:jo parse))) (core-move done))
|= a/httr ^- (core-move done)
?: (bad-response p.a) [%redo ~] :: handle 4xx?
?: (bad-response p.a)
[%give a]
:: [%redo ~] :: handle 4xx?
(handle (grab-json a (ot:jo parse)))
::
++ res-give |=(a/httr [%give a])
@ -156,4 +201,3 @@
[[%redo ~] (handle-access axs.tok)]
--
--

26
sec/com/facebook.hoon Normal file
View File

@ -0,0 +1,26 @@
:: Test url +https://graph.facebook.com/v2.5/me
::
:::: /hoon/facebook/com/sec
::
/+ oauth2
::
::::
::
=+ ^= aut
%+ oauth2
dialog='https://www.facebook.com/dialog/oauth?response_type=code'
exchange='https://graph.facebook.com/v2.3/oauth/access_token'
|_ {bal/(bale keys.aut) access-token/token.aut}
++ auth ~(. aut bal /'user_about_me'/'user_posts')
++ out (out-quay:auth key='access_token' value=access-token)
++ in in-code:auth
++ bak
%- (bak-parse:auth . access-token.aut expires-in.aut ~)
|= {access-token/@t expires-in/@u}
?: (lth expires-in ^~((div ~d7 ~s1))) :: short-lived token
%^ toke-req:auth grant-type='fb_exchange_token'
[key='fb_exchange_token' value=access-token]
~
[[%redo ~] ..bak(access-token access-token)]
::++ wyp ~
--

View File

@ -1,18 +0,0 @@
/+ oauth2
::
::::
::
=+ [`/com/facebook/www /dialog/oauth response-type/%code ~]
=+ aut=(oauth2 - /'v2.3'/oauth/'access_token')
|_ [bal=(bale keys.aut) access-token=token.aut]
++ auth ~(. aut bal /'user_about_me'/'user_posts')
++ out (out-quay:auth 'access_token'^access-token)
++ in in-code:auth
++ bak
%- (bak-parse:auth . access-token.aut expires-in.aut ~)
|= [access-token=@t expires-in=@u]
?: (lth expires-in ^~((div ~d7 ~s1))) :: short-lived token
(toke-req:auth 'fb_exchange_token' fb-exchange-token/access-token ~)
[[%redo ~] ..bak(access-token access-token)]
::++ wyp ~
--

View File

@ -1,3 +1,7 @@
:: Test url +https://api.github.com/user
::
:::: /hoon/github/com/sec
::
/+ basic-auth
!:
|_ {bal/(bale keys:basic-auth) $~}

View File

@ -1,3 +1,7 @@
:: Test url +https://www.googleapis.com/oauth2/v1/userinfo
::
:::: /hoon/googleapis/com/sec
::
/+ oauth2
::
::::
@ -16,11 +20,16 @@
=+ lon=(fall (slaw %t usr) usr)
=< .(state-usr &)
%- oauth2
=- [[&+/com/google/accounts /o/oauth2/v2/auth -] /oauth2/v4/token]
:~ login-hint+?~(lon '' (crip (rash lon suffix-email)))
access-type+%offline
response-type+%code
prompt+%consent
:_ exchange='https://www.googleapis.com/oauth2/v4/token'
^= dialog
%* . (need (epur 'https://accounts.google.com/o/oauth2/v2/auth'))
r
%- fass:oauth2
:~ login-hint+?~(lon '' (crip (rash lon suffix-email)))
access-type+%offline
response-type+%code
prompt+%consent
==
==
--
!:
@ -28,10 +37,12 @@
::
|_ {bal/(bale keys:oauth2) user-state}
++ auth-re ~(. (re:auth .) ref |=(a/_ref +>(ref a)))
++ auth ~(. (auth-usr usr.bal) bal (scopes 'userinfo.email' 'plus.me' ~))
++ auth ~(. (auth-usr usr.bal) bal scopes)
++ scopes
=+ scope=|=(b/@ta (endpoint:oauth2 dom.bal /auth/[b]))
|=(a/(list @ta) ['https://mail.google.com' (turn a |=(b/@ta (crip (earn (scope b)))))])
:~ 'https://mail.google.com'
'https://www.googleapis.com/auth/plus.me'
'https://www.googleapis.com/auth/userinfo.email'
==
::
++ out (out-fix-expired:auth-re (out-math:auth ber))
++ res |=(a/httr ((res-handle-refreshed:auth-re save-access res-give:auth) a))
@ -43,5 +54,4 @@
(in-code:auth a)
++ bak |=(a/httr ((bak-save-tokens:auth-re save-access) a))
++ upd *user-state
::
--

View File

@ -1,11 +1,18 @@
:: Test url +https://slack.com/api/auth.test
::
:::: /hoon/slack/com/sec
::
/+ oauth2
::
::::
::
=+ aut=(oauth2 [`/com/slack /oauth/authorize ~] /api/'oauth.access')
|_ [(bale keys:oauth2) tok=token.aut]
=+ ^= aut
%+ oauth2
'https://slack.com/oauth/authorize'
'https://slack.com/api/oauth.access'
|_ {(bale keys:oauth2) tok/token.aut}
++ aut ~(. ^aut +<- /client/admin)
++ out (out-quay:aut 'token'^tok)
++ in in-code:aut
++ bak (bak-save-access:aut . |=(tok=token:aut +>(tok tok)))
++ bak (bak-save-access:aut . |=(tok/token:aut +>(tok tok)))
--

View File

@ -1,5 +1,5 @@
::
:::: /hoon/talk/web
:::: /hoon/listen/web
::
/? 310
;div.mini-module