diff --git a/config.env.py b/config.env.py index da46212..cd8cd52 100644 --- a/config.env.py +++ b/config.env.py @@ -11,6 +11,9 @@ # OpenID Connect SSO config OIDC_ISSUER = os.environ.get('OIDC_ISSUER', 'https://sso.csh.rit.edu/auth/realms/csh') + +OIDC_REDIRECT_URI = os.environ.get('OIDC_REDIRECT_URI', + 'https://eac.csh.rit.edu/redirect_uri') OIDC_CLIENT_CONFIG = { 'client_id': os.environ.get('OIDC_CLIENT_ID', ''), 'client_secret': os.environ.get('OIDC_CLIENT_SECRET', ''), @@ -28,9 +31,10 @@ SLACK_SECRET = os.environ.get('SLACK_SECRET', '') # GitHub secrets -GITHUB_OAUTH_CLIENT_ID = os.environ.get('GITHUB_OAUTH_CLIENT_ID', '') -GITHUB_OAUTH_CLIENT_SECRET = os.environ.get('GITHUB_OAUTH_CLIENT_SECRET', '') +GITHUB_REDIRECT_URI = os.environ.get('GITHUB_REDIRECT_URI', + 'https://eac.csh.rit.edu/github/return') GITHUB_APP_CLIENT_ID = os.environ.get('GITHUB_APP_CLIENT_ID', '') +GITHUB_APP_CLIENT_SECRET = os.environ.get('GITHUB_APP_CLIENT_SECRET', '') GITHUB_APP_PRIVATE_KEY = os.environ.get('GITHUB_APP_PRIVATE_KEY', '') # Twitch secrets diff --git a/eac/__init__.py b/eac/__init__.py index 3188059..dd22928 100644 --- a/eac/__init__.py +++ b/eac/__init__.py @@ -55,7 +55,9 @@ _GITHUB_AUTH_URI = 'https://github.com/login/oauth/authorize' \ + '?client_id=%s' \ - + '&state=%s' + + '&state=%s' \ + + '&redirect_uri=%s' + _GITHUB_TOKEN_URI = 'https://github.com/login/oauth/access_token' \ + '?client_id=%s' \ + '&client_secret=%s' \ @@ -151,7 +153,8 @@ def _auth_github() -> werkzeug.Response: # Redirect to github for authorisation return redirect( _GITHUB_AUTH_URI % - (APP.config['GITHUB_OAUTH_CLIENT_ID'], APP.config['STATE'])) + (APP.config['GITHUB_APP_CLIENT_ID'], APP.config['STATE'], + urllib.parse.quote(APP.config['GITHUB_REDIRECT_URI'], safe=''))) @APP.route('/github/return', methods=['GET']) @@ -165,8 +168,8 @@ def _github_landing() -> tuple[str, int]: # Get token from github resp = requests.post( _GITHUB_TOKEN_URI % - (APP.config['GITHUB_OAUTH_CLIENT_ID'], - APP.config['GITHUB_OAUTH_CLIENT_SECRET'], request.args.get('code')), + (APP.config['GITHUB_APP_CLIENT_ID'], + APP.config['GITHUB_APP_CLIENT_SECRET'], request.args.get('code')), headers={'Accept': 'application/json'}, timeout=APP.config['REQUEST_TIMEOUT']) try: @@ -176,9 +179,14 @@ def _github_landing() -> tuple[str, int]: raise e resp_json = resp.json() - token = resp_json['access_token'] + try: + user_token = resp_json['access_token'] + except KeyError as e: + print('error: ', e, resp_json) + raise e + header = { - 'Authorization': 'token ' + token, + 'Authorization': 'Bearer ' + user_token, 'Accept': 'application/vnd.github.v3+json' } @@ -200,7 +208,7 @@ def _github_landing() -> tuple[str, int]: uid = str(session['userinfo'].get('preferred_username', '')) member = _LDAP.get_member(uid, uid=True) - _link_github(github_username, github_id, member) + _link_github(github_username, github_id, member, user_token) return render_template('callback.html'), 200 @@ -255,7 +263,8 @@ def _auth_github_org() -> str: return org_token -def _link_github(github_username: str, github_id: str, member: Any) -> None: +def _link_github(github_username: str, github_id: str, member: Any, + user_token: str) -> None: """ Puts a member's github into LDAP and adds them to the org. :param github_username: the user's github username @@ -286,6 +295,17 @@ def _link_github(github_username: str, github_id: str, member: Any) -> None: print('response:', resp.json()) raise e + github_user_headers = { + 'Accept': 'application/vnd.github.v3+json', + 'Authorization': f'Token {user_token}', + } + + requests.patch( + 'https://api.github.com/user/memberships/orgs/ComputerScienceHouse', + headers=github_user_headers, + json={'state': 'active'}, + timeout=APP.config['REQUEST_TIMEOUT']) + member.github = github_username