[scpubgit/stemmaweb.git] / lib / stemmaweb / Authentication / Credential / Google.pm

package stemmaweb::Authentication::Credential::Google;

use Crypt::OpenSSL::X509;
use JSON::WebToken;
use IO::All;
use JSON::MaybeXS;
use MIME::Base64;
use LWP::Simple qw(get);
use Date::Parse qw(str2time);

use warnings;
use strict;
use strictures 1;

=head1 NAME

stemmaweb::Authentication::Google - JSON Web Token handler for Google tokens.

=head1 DESCRIPTION

Retrieves Google's public certificates, and then retrieves the key from the
cert using L<Crypt::OpenSSL::X509>. Finally, uses the pubkey to decrypt a
Google token using L<JSON::WebToken>.

=cut

sub new {
    my ($class, $config, $app, $realm) = @_;
    $class = ref $class || $class;

    my $self = {
        _config => $config,
        _app    => $app,
        _realm  => $realm,
    };

    bless $self, $class;
}

sub authenticate {
    my ($self, $c, $realm, $authinfo) =@_;

    my $id_token = $authinfo->{id_token};
    $id_token ||= $c->req->method eq 'GET' ?
        $c->req->query_params->{id_token} : $c->req->body_params->{id_token};

    if (!$id_token) {
        Catalyst::Exception->throw("id_token not specified.");
    }

    my $email = $authinfo->{email};
    $email ||= $c->req->method eq 'GET' ? $c->req->query_params->{email} :
    $c->req->body_params->{email};

    my $userinfo = $self->decode($id_token);

    my $sub = $userinfo->{sub};
    my $openid = $userinfo->{openid_id};

    $userinfo->{email} = $email if $email;

    if (!$sub || !$openid) {
        Catalyst::Exception->throw(
            'Could not retrieve sub and openid from token! Is the token
            correct?'
        );
    }

    return $realm->find_user($userinfo, $c);
}

=head1 METHODS

=head2 retrieve_certs

Retrieves a pair of JSON-encoded certificates from the given URL (defaults to
Google's public cert url), and returns the decoded JSON object.

=head3 ARGUMENTS

=over

=item url

Optional. Location where certificates are located.
Defaults to https://www.googleapis.com/oauth2/v1/certs.

=back

=head3 RETURNS

Decoded JSON object containing certificates.

=cut

sub retrieve_certs {
    my ($self, $url) = @_;

    my $c = $self->{_app};
    my $cached = 0;
    my $certs;
    my $cache;

    $url ||= ( $c->config->{'Authentication::Credential::Google'}->{public_cert_url} || 'https://www.googleapis.com/oauth2/v1/certs' );

    if ( ($c->registered_plugins('Catalyst::Plugin::Cache')) && ($cache = $c->cache) ) {
        if ($certs = $cache->get('certs')) {
            $certs = decode_json($certs);

            foreach my $key (keys %$certs) {
                my $cert = $certs->{$key};
                my $x509 = Crypt::OpenSSL::X509->new_from_string($cert);

                if ($self->is_cert_expired($x509)) {
                    $cached = 0;
                    last;
                } else {
                    $cached = 1;
                }
            }
        }
    }

    if (!$cached) {
        my $certs_encoded = get($url);

        if ($cache) {
            $cache->set('certs', $certs_encoded);
        }

        $certs = decode_json($certs_encoded);
    }

    return $certs;
}

=head2 get_key_from_cert

Given a pair of certificates $certs (defaults to L</retrieve_certs>),
this function returns the public key of the cert identified by $kid.

=head3 ARGUMENTS

=over

=item $kid

Required. Index of the certificate hash $hash where the cert we want is
located.

=item $certs

Optional. A (hashref) pair of certificates.
It's retrieved using L</retrieve_certs> if not given,
or if the pair is expired.

=back

=head3 RETURNS

Public key of certificate.

=cut

sub get_key_from_cert {
    my ($self, $kid, $certs) = @_;

    $certs ||= $self->retrieve_certs;
    my $cert = $certs->{$kid};
    my $x509 = Crypt::OpenSSL::X509->new_from_string($cert);

    if ($self->is_cert_expired($x509)) {
        # If we ended up here, we were given
        # an old $certs string from the user.
        # Let's force getting another.
        return $self->get_key_from_cert($kid);
    }

    return $x509->pubkey;
}

=head2 is_cert_expired

Returns if a given L<Crypt::OpenSSL::X509> certificate is expired.

=cut

sub is_cert_expired {
    my ($self, $x509) = @_;

    my $expiry = str2time($x509->notAfter);

    return time > $expiry;
}

=head2 decode

Returns the decoded information contained in a user's token.

=head3 ARGUMENTS

=over

=item $token

Required. The user's token from Google+.

=item $pubkey

Optional. A public key string with which to decode the token.
If not given, the public key will be retrieved from $certs.

=item $certs

Optional. A pair of public key certs retrieved from Google.
If not given, or if the certificates have expired, a new
pair of certificates is retrieved.

=back

=head2 RETURNS

Decoded JSON object from the decrypted token.

=cut

sub decode {
    my ($self, $token, $certs, $pubkey) = @_;

    if (!$pubkey) {
        my $details = decode_json(
            MIME::Base64::decode_base64(
                substr( $token, 0, CORE::index($token, '.') )
            )
        );

        my $kid = $details->{kid};
        $pubkey = $self->get_key_from_cert($kid, $certs);
    }

    return JSON::WebToken->decode($token, $pubkey);
}

=head1 AUTHOR

Errietta Kostala <e.kostala@shadowcat.co.uk>

=head1 LICENSE

This library is free software. You can redistribute it and/or modify
it under the same terms as Perl itself.

=cut

1;
Commit	Line	Data
85990daf	1	package stemmaweb::Authentication::Credential::Google;
	2
	3	use Crypt::OpenSSL::X509;
	4	use JSON::WebToken;
	5	use IO::All;
	6	use JSON::MaybeXS;
	7	use MIME::Base64;
	8	use LWP::Simple qw(get);
	9	use Date::Parse qw(str2time);
	10
	11	use warnings;
	12	use strict;
	13	use strictures 1;
	14
	15	=head1 NAME
	16
	17	stemmaweb::Authentication::Google - JSON Web Token handler for Google tokens.
	18
	19	=head1 DESCRIPTION
	20
	21	Retrieves Google's public certificates, and then retrieves the key from the
	22	cert using L<Crypt::OpenSSL::X509>. Finally, uses the pubkey to decrypt a
	23	Google token using L<JSON::WebToken>.
	24
	25	=cut
	26
	27	sub new {
	28	my ($class, $config, $app, $realm) = @_;
	29	$class = ref $class \|\| $class;
	30
	31	my $self = {
	32	_config => $config,
	33	_app => $app,
	34	_realm => $realm,
	35	};
	36
	37	bless $self, $class;
	38	}
	39
	40	sub authenticate {
	41	my ($self, $c, $realm, $authinfo) =@_;
	42
	43	my $id_token = $authinfo->{id_token};
	44	$id_token \|\|= $c->req->method eq 'GET' ?
	45	$c->req->query_params->{id_token} : $c->req->body_params->{id_token};
	46
85990daf	47	if (!$id_token) {
	48	Catalyst::Exception->throw("id_token not specified.");
	49	}
	50
1c65af41	51	my $email = $authinfo->{email};
	52	$email \|\|= $c->req->method eq 'GET' ? $c->req->query_params->{email} :
	53	$c->req->body_params->{email};
	54
85990daf	55	my $userinfo = $self->decode($id_token);
85990daf	56
85990daf	57	my $sub = $userinfo->{sub};
	58	my $openid = $userinfo->{openid_id};
	59
1c65af41	60	$userinfo->{email} = $email if $email;
1c65af41	61
85990daf	62	if (!$sub \|\| !$openid) {
	63	Catalyst::Exception->throw(
	64	'Could not retrieve sub and openid from token! Is the token
	65	correct?'
	66	);
	67	}
	68
83ed6665	69	return $realm->find_user($userinfo, $c);
85990daf	70	}
	71
	72	=head1 METHODS
	73
	74	=head2 retrieve_certs
	75
	76	Retrieves a pair of JSON-encoded certificates from the given URL (defaults to
	77	Google's public cert url), and returns the decoded JSON object.
	78
	79	=head3 ARGUMENTS
	80
	81	=over
	82
	83	=item url
	84
	85	Optional. Location where certificates are located.
	86	Defaults to https://www.googleapis.com/oauth2/v1/certs.
	87
	88	=back
	89
	90	=head3 RETURNS
	91
	92	Decoded JSON object containing certificates.
	93
	94	=cut
	95
	96	sub retrieve_certs {
	97	my ($self, $url) = @_;
	98
e490a3d8	99	my $c = $self->{_app};
	100	my $cached = 0;
	101	my $certs;
	102	my $cache;
	103
	104	$url \|\|= ( $c->config->{'Authentication::Credential::Google'}->{public_cert_url} \|\| 'https://www.googleapis.com/oauth2/v1/certs' );
	105
	106	if ( ($c->registered_plugins('Catalyst::Plugin::Cache')) && ($cache = $c->cache) ) {
	107	if ($certs = $cache->get('certs')) {
	108	$certs = decode_json($certs);
	109
	110	foreach my $key (keys %$certs) {
	111	my $cert = $certs->{$key};
	112	my $x509 = Crypt::OpenSSL::X509->new_from_string($cert);
	113
	114	if ($self->is_cert_expired($x509)) {
	115	$cached = 0;
	116	last;
	117	} else {
	118	$cached = 1;
	119	}
	120	}
	121	}
	122	}
	123
	124	if (!$cached) {
	125	my $certs_encoded = get($url);
	126
	127	if ($cache) {
	128	$cache->set('certs', $certs_encoded);
	129	}
	130
	131	$certs = decode_json($certs_encoded);
	132	}
	133
	134	return $certs;
85990daf	135	}
	136
	137	=head2 get_key_from_cert
	138
	139	Given a pair of certificates $certs (defaults to L</retrieve_certs>),
	140	this function returns the public key of the cert identified by $kid.
	141
	142	=head3 ARGUMENTS
	143
	144	=over
	145
	146	=item $kid
	147
	148	Required. Index of the certificate hash $hash where the cert we want is
	149	located.
	150
	151	=item $certs
	152
	153	Optional. A (hashref) pair of certificates.
	154	It's retrieved using L</retrieve_certs> if not given,
	155	or if the pair is expired.
	156
	157	=back
	158
	159	=head3 RETURNS
	160
	161	Public key of certificate.
	162
	163	=cut
	164
	165	sub get_key_from_cert {
	166	my ($self, $kid, $certs) = @_;
	167
	168	$certs \|\|= $self->retrieve_certs;
	169	my $cert = $certs->{$kid};
	170	my $x509 = Crypt::OpenSSL::X509->new_from_string($cert);
	171
	172	if ($self->is_cert_expired($x509)) {
	173	# If we ended up here, we were given
	174	# an old $certs string from the user.
	175	# Let's force getting another.
	176	return $self->get_key_from_cert($kid);
	177	}
	178
	179	return $x509->pubkey;
	180	}
	181
	182	=head2 is_cert_expired
	183
	184	Returns if a given L<Crypt::OpenSSL::X509> certificate is expired.
	185
	186	=cut
	187
	188	sub is_cert_expired {
	189	my ($self, $x509) = @_;
	190
	191	my $expiry = str2time($x509->notAfter);
	192
	193	return time > $expiry;
	194	}
	195
	196	=head2 decode
	197
	198	Returns the decoded information contained in a user's token.
199
200	=head3 ARGUMENTS
201
202	=over
203
204	=item $token
205
206	Required. The user's token from Google+.
207
208	=item $pubkey
209
210	Optional. A public key string with which to decode the token.
211	If not given, the public key will be retrieved from $certs.
212
213	=item $certs
214
215	Optional. A pair of public key certs retrieved from Google.
216	If not given, or if the certificates have expired, a new
217	pair of certificates is retrieved.
218
219	=back
220
221	=head2 RETURNS
222
223	Decoded JSON object from the decrypted token.
224
225	=cut
226
227	sub decode {
228	my ($self, $token, $certs, $pubkey) = @_;
229
230	if (!$pubkey) {
231	my $details = decode_json(
232	MIME::Base64::decode_base64(
233	substr( $token, 0, CORE::index($token, '.') )
234	)
235	);
236
237	my $kid = $details->{kid};
238	$pubkey = $self->get_key_from_cert($kid, $certs);
239	}
240
241	return JSON::WebToken->decode($token, $pubkey);
242	}
243
244	=head1 AUTHOR
245
246	Errietta Kostala <e.kostala@shadowcat.co.uk>
247
248	=head1 LICENSE
249
250	This library is free software. You can redistribute it and/or modify
251	it under the same terms as Perl itself.
252
253	=cut
254
255	1;