client: Add login_with_sso
This commit is contained in:
parent
6f59e895b6
commit
8679e81555
3 changed files with 273 additions and 1 deletions
|
@ -25,8 +25,9 @@ markdown = ["matrix-sdk-base/markdown"]
|
|||
native-tls = ["reqwest/native-tls"]
|
||||
rustls-tls = ["reqwest/rustls-tls"]
|
||||
socks = ["reqwest/socks"]
|
||||
sso_login = ["warp", "rand", "tokio-stream"]
|
||||
|
||||
docs = ["encryption", "sled_cryptostore", "sled_state_store"]
|
||||
docs = ["encryption", "sled_cryptostore", "sled_state_store", "sso_login"]
|
||||
|
||||
[dependencies]
|
||||
dashmap = { version = "4.0.2", optional = true }
|
||||
|
@ -38,6 +39,7 @@ tracing = "0.1.22"
|
|||
url = "2.2.0"
|
||||
zeroize = "1.2.0"
|
||||
mime = "0.3.16"
|
||||
rand = { version = "0.8.2", optional = true }
|
||||
|
||||
matrix-sdk-common = { version = "0.2.0", path = "../matrix_sdk_common" }
|
||||
|
||||
|
@ -50,6 +52,16 @@ default_features = false
|
|||
version = "0.11.0"
|
||||
default_features = false
|
||||
|
||||
[dependencies.tokio-stream]
|
||||
version = "0.1.4"
|
||||
features = ["net"]
|
||||
optional = true
|
||||
|
||||
[dependencies.warp]
|
||||
version = "0.3.0"
|
||||
default-features = false
|
||||
optional = true
|
||||
|
||||
[target.'cfg(not(target_arch = "wasm32"))'.dependencies.backoff]
|
||||
version = "0.3.0"
|
||||
features = ["tokio"]
|
||||
|
|
|
@ -15,6 +15,12 @@
|
|||
|
||||
#[cfg(feature = "encryption")]
|
||||
use std::{collections::BTreeMap, io::Write, path::PathBuf};
|
||||
#[cfg(feature = "sso_login")]
|
||||
use std::{
|
||||
collections::HashMap,
|
||||
io::{Error as IoError, ErrorKind as IoErrorKind},
|
||||
ops::Range,
|
||||
};
|
||||
use std::{
|
||||
convert::TryInto,
|
||||
fmt::{self, Debug},
|
||||
|
@ -29,9 +35,19 @@ use std::{
|
|||
use dashmap::DashMap;
|
||||
use futures_timer::Delay as sleep;
|
||||
use http::HeaderValue;
|
||||
#[cfg(feature = "sso_login")]
|
||||
use http::Response;
|
||||
use mime::{self, Mime};
|
||||
#[cfg(feature = "sso_login")]
|
||||
use rand::{thread_rng, Rng};
|
||||
use reqwest::header::InvalidHeaderValue;
|
||||
#[cfg(feature = "sso_login")]
|
||||
use tokio::{net::TcpListener, sync::oneshot};
|
||||
#[cfg(feature = "sso_login")]
|
||||
use tokio_stream::wrappers::TcpListenerStream;
|
||||
use url::Url;
|
||||
#[cfg(feature = "sso_login")]
|
||||
use warp::Filter;
|
||||
#[cfg(feature = "encryption")]
|
||||
use zeroize::Zeroizing;
|
||||
|
||||
|
@ -120,6 +136,12 @@ const SYNC_REQUEST_TIMEOUT: Duration = Duration::from_secs(15);
|
|||
const DEFAULT_UPLOAD_SPEED: u64 = 125_000;
|
||||
/// 5 min minimal upload request timeout, used to clamp the request timeout.
|
||||
const MIN_UPLOAD_REQUEST_TIMEOUT: Duration = Duration::from_secs(60 * 5);
|
||||
/// The range of ports the SSO server will try to bind to randomly
|
||||
#[cfg(feature = "sso_login")]
|
||||
const SSO_SERVER_BIND_RANGE: Range<u16> = 20000..30000;
|
||||
/// The number of timesthe SSO server will try to bind to a random port
|
||||
#[cfg(feature = "sso_login")]
|
||||
const SSO_SERVER_BIND_TRIES: u8 = 10;
|
||||
|
||||
/// An async/await enabled Matrix client.
|
||||
///
|
||||
|
@ -738,6 +760,200 @@ impl Client {
|
|||
Ok(response)
|
||||
}
|
||||
|
||||
/// Login to the server via Single Sign-On.
|
||||
///
|
||||
/// This takes care of the whole SSO flow:
|
||||
/// * Spawn a local http server
|
||||
/// * Provide a callback to open the SSO login URL in a web browser
|
||||
/// * Wait for the local http server to get the loginToken
|
||||
/// * Call [`login_with_token`]
|
||||
///
|
||||
/// If cancellation is needed the method should be wrapped in a cancellable
|
||||
/// task. **Note** that users with root access to the system have the ability
|
||||
/// to snoop in on the data/token that is passed to the local HTTP server
|
||||
/// that will be spawned.
|
||||
///
|
||||
/// If you need more control over the SSO login process, you should use
|
||||
/// [`get_sso_login_url`] and [`login_with_token`] directly.
|
||||
///
|
||||
/// This should only be used for the first login.
|
||||
///
|
||||
/// The [`restore_login`] method should be used to restore a
|
||||
/// logged in client after the first login.
|
||||
///
|
||||
/// A device id should be provided to restore the correct stores, if the
|
||||
/// device id isn't provided a new device will be created.
|
||||
///
|
||||
/// # Arguments
|
||||
///
|
||||
/// * `use_sso_login_url` - A callback that will receive the SSO Login URL. It
|
||||
/// should usually be used to open the SSO URL in a browser and must return
|
||||
/// `Ok(())` if the URL was successfully opened. If it returns `Err`, the
|
||||
/// error will be forwarded.
|
||||
///
|
||||
/// * `server_url` - The local URL the server is going to try to bind to, e.g.
|
||||
/// `http://localhost:3030`. If `None`, the server will try to open a random
|
||||
/// port on localhost.
|
||||
///
|
||||
/// * `server_response` - The text that will be shown on the webpage at the end
|
||||
/// of the login process. This can be an HTML page. If `None`, a default
|
||||
/// text will be displayed.
|
||||
///
|
||||
/// * `device_id` - A unique id that will be associated with this session. If
|
||||
/// not given the homeserver will create one. Can be an existing device_id
|
||||
/// from a previous login call. Note that this should be provided only
|
||||
/// if the client also holds the encryption keys for this device.
|
||||
///
|
||||
/// * `initial_device_display_name` - A public display name that will be
|
||||
/// associated with the device_id. Only necessary the first time you
|
||||
/// login with this device_id. It can be changed later.
|
||||
///
|
||||
/// # Example
|
||||
/// ```no_run
|
||||
/// # use matrix_sdk::Client;
|
||||
/// # use futures::executor::block_on;
|
||||
/// # use url::Url;
|
||||
/// # let homeserver = Url::parse("https://example.com").unwrap();
|
||||
/// # block_on(async {
|
||||
/// let client = Client::new(homeserver).unwrap();
|
||||
///
|
||||
/// let response = client
|
||||
/// .login_with_sso(
|
||||
/// |sso_url| async move {
|
||||
/// // Open sso_url
|
||||
/// Ok(())
|
||||
/// },
|
||||
/// None,
|
||||
/// None,
|
||||
/// None,
|
||||
/// Some("My app")
|
||||
/// )
|
||||
/// .await
|
||||
/// .unwrap();
|
||||
///
|
||||
/// println!("Logged in as {}, got device_id {} and access_token {}",
|
||||
/// response.user_id, response.device_id, response.access_token);
|
||||
/// # })
|
||||
/// ```
|
||||
///
|
||||
/// [`get_sso_login_url`]: #method.get_sso_login_url
|
||||
/// [`login_with_token`]: #method.login_with_token
|
||||
/// [`restore_login`]: #method.restore_login
|
||||
#[cfg(all(feature = "sso_login", not(target_arch = "wasm32")))]
|
||||
#[cfg_attr(
|
||||
feature = "docs",
|
||||
doc(cfg(all(sso_login, not(target_arch = "wasm32"))))
|
||||
)]
|
||||
pub async fn login_with_sso<C>(
|
||||
&self,
|
||||
use_sso_login_url: impl Fn(String) -> C,
|
||||
server_url: Option<&str>,
|
||||
server_response: Option<&str>,
|
||||
device_id: Option<&str>,
|
||||
initial_device_display_name: Option<&str>,
|
||||
) -> Result<login::Response>
|
||||
where
|
||||
C: Future<Output = Result<()>>,
|
||||
{
|
||||
info!("Logging in to {}", self.homeserver);
|
||||
let (signal_tx, signal_rx) = oneshot::channel();
|
||||
let (data_tx, data_rx) = oneshot::channel();
|
||||
let data_tx_mutex = Arc::new(std::sync::Mutex::new(Some(data_tx)));
|
||||
|
||||
let mut redirect_url = match server_url {
|
||||
Some(s) => match Url::parse(s) {
|
||||
Ok(url) => url,
|
||||
Err(err) => return Err(IoError::new(IoErrorKind::InvalidData, err).into()),
|
||||
},
|
||||
None => Url::parse("http://localhost:0/").unwrap(),
|
||||
};
|
||||
|
||||
let response = match server_response {
|
||||
Some(s) => s.to_string(),
|
||||
None => String::from(
|
||||
"The Single Sign-On login process is complete. You can close this page now.",
|
||||
),
|
||||
};
|
||||
|
||||
let route = warp::get()
|
||||
.and(warp::query::<HashMap<String, String>>())
|
||||
.map(move |p: HashMap<String, String>| {
|
||||
if let Some(data_tx) = data_tx_mutex.lock().unwrap().take() {
|
||||
if let Some(token) = p.get("loginToken") {
|
||||
data_tx.send(Some(token.to_owned())).unwrap();
|
||||
} else {
|
||||
data_tx.send(None).unwrap();
|
||||
}
|
||||
}
|
||||
Response::builder().body(response.clone())
|
||||
});
|
||||
|
||||
let listener = {
|
||||
if redirect_url
|
||||
.port()
|
||||
.expect("The redirect URL doesn't include a port")
|
||||
== 0
|
||||
{
|
||||
let host = redirect_url
|
||||
.host_str()
|
||||
.expect("The redirect URL doesn't have a host");
|
||||
let mut n = 0u8;
|
||||
let mut port = 0u16;
|
||||
let mut res = Err(IoError::new(IoErrorKind::Other, ""));
|
||||
let mut rng = thread_rng();
|
||||
|
||||
while res.is_err() && n < SSO_SERVER_BIND_TRIES {
|
||||
port = rng.gen_range(SSO_SERVER_BIND_RANGE);
|
||||
res = TcpListener::bind((host, port)).await;
|
||||
n += 1;
|
||||
}
|
||||
match res {
|
||||
Ok(s) => {
|
||||
redirect_url
|
||||
.set_port(Some(port))
|
||||
.expect("Could not set new port on redirect URL");
|
||||
s
|
||||
}
|
||||
Err(err) => return Err(err.into()),
|
||||
}
|
||||
} else {
|
||||
match TcpListener::bind(redirect_url.as_str()).await {
|
||||
Ok(s) => s,
|
||||
Err(err) => return Err(err.into()),
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
let server = warp::serve(route).serve_incoming_with_graceful_shutdown(
|
||||
TcpListenerStream::new(listener),
|
||||
async {
|
||||
signal_rx.await.ok();
|
||||
},
|
||||
);
|
||||
|
||||
tokio::spawn(server);
|
||||
|
||||
let sso_url = self.get_sso_login_url(redirect_url.as_str()).unwrap();
|
||||
|
||||
match use_sso_login_url(sso_url).await {
|
||||
Ok(t) => t,
|
||||
Err(err) => return Err(err),
|
||||
};
|
||||
|
||||
let token = match data_rx.await {
|
||||
Ok(Some(t)) => t,
|
||||
Ok(None) => {
|
||||
return Err(IoError::new(IoErrorKind::Other, "Could not get the loginToken").into())
|
||||
}
|
||||
Err(err) => return Err(IoError::new(IoErrorKind::Other, format!("{}", err)).into()),
|
||||
};
|
||||
|
||||
let _ = signal_tx.send(());
|
||||
|
||||
self.login_with_token(token.as_str(), device_id, initial_device_display_name)
|
||||
.await
|
||||
}
|
||||
|
||||
/// Login to the server with a token.
|
||||
///
|
||||
/// This token is usually received in the SSO flow after following the URL
|
||||
|
@ -1990,6 +2206,46 @@ mod test {
|
|||
assert!(logged_in, "Client should be logged in");
|
||||
}
|
||||
|
||||
#[cfg(feature = "sso_login")]
|
||||
#[tokio::test]
|
||||
async fn login_with_sso() {
|
||||
let _m_login = mock("POST", "/_matrix/client/r0/login")
|
||||
.with_status(200)
|
||||
.with_body(test_json::LOGIN.to_string())
|
||||
.create();
|
||||
|
||||
let homeserver = Url::from_str(&mockito::server_url()).unwrap();
|
||||
let client = Client::new(homeserver).unwrap();
|
||||
|
||||
client
|
||||
.login_with_sso(
|
||||
|sso_url| async move {
|
||||
let sso_url = Url::parse(sso_url.as_str()).unwrap();
|
||||
|
||||
let (_, redirect) = sso_url
|
||||
.query_pairs()
|
||||
.find(|(key, _)| key == "redirectUrl")
|
||||
.unwrap();
|
||||
|
||||
let mut redirect_url = Url::parse(redirect.into_owned().as_str()).unwrap();
|
||||
redirect_url.set_query(Some("loginToken=tinytoken"));
|
||||
|
||||
reqwest::get(redirect_url.to_string()).await.unwrap();
|
||||
|
||||
Ok(())
|
||||
},
|
||||
None,
|
||||
None,
|
||||
None,
|
||||
None,
|
||||
)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
let logged_in = client.logged_in().await;
|
||||
assert!(logged_in, "Client should be logged in");
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn login_with_sso_token() {
|
||||
let homeserver = Url::from_str(&mockito::server_url()).unwrap();
|
||||
|
|
|
@ -45,6 +45,7 @@
|
|||
//! of Synapse in compliance with the Matrix API specification.
|
||||
//! * `markdown`: Support for sending markdown formatted messages.
|
||||
//! * `socks`: Enables SOCKS support in reqwest, the default HTTP client.
|
||||
//! * `sso_login`: Enables SSO login with a local http server.
|
||||
|
||||
#![deny(
|
||||
missing_debug_implementations,
|
||||
|
@ -64,6 +65,9 @@ compile_error!("one of 'native-tls' or 'rustls-tls' features must be enabled");
|
|||
#[cfg(all(feature = "native-tls", feature = "rustls-tls",))]
|
||||
compile_error!("only one of 'native-tls' or 'rustls-tls' features can be enabled");
|
||||
|
||||
#[cfg(all(feature = "sso_login", target_arch = "wasm32"))]
|
||||
compile_error!("'sso_login' cannot be enabled on 'wasm32' arch");
|
||||
|
||||
#[cfg(feature = "encryption")]
|
||||
#[cfg_attr(feature = "docs", doc(cfg(encryption)))]
|
||||
pub use matrix_sdk_base::crypto::{EncryptionInfo, LocalTrust};
|
||||
|
|
Loading…
Reference in a new issue